UK hands over 585 million compromised passwords to 'Have I been pwned' service

UK National Crime Agency hands over 585 million compromised passwords to 'Have I been pwned' service

Image:
UK National Crime Agency hands over 585 million compromised passwords to 'Have I been pwned' service

Of those, 225 million are new passwords that were not part of the database previously

Troy Hunt, the founder of the 'Have I Been Pwned' (HIBP) website, announced on Monday that UK's National Crime Agency (NCA) has shared a colossal trove of stolen passwords with his website that lets people to check if their passwords have been compromised online.

According to Hunt, the NCA shared 585,570,857 credentials with HIBP, of which 225,665,425 were new passwords that Hunt hadn't seen before in 613 million credentials stored in HIBP's password repository.

The NCA told Hunt that these passwords were found at a cloud storage location that belonged to a UK business and was used by unidentified actors to store compromised login data.

The credentials came from multiple data breaches, and their storage on a UK business's cloud storage meant that they were accessible to third parties "to commit further fraud or cyber offences."

Hunt said in a blog post that before Monday's announcement, there were already 613 million passwords in the live Pwned Passwords service, so the NCA contribution "represented a significant increase in size".

The data would definitely help more people know that their credentials have already been compromised, enabling them to take appropriate steps to secure their accounts, he said.

With the NCA's contribution, the number of login credentials stored in the HIBP service increased by 38 per cent, to over 847 million.

But the NCA is not the only government agency that has shared stolen credentials with HIBP website.

Hunt said the FBI is also providing an Ingestion Pipeline that will enable mass uploads of stolen passwords by law enforcement agencies.

"We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime," Bryan A. Vorndran, Assistant Director, Cyber Division, FBI, said in May this year.

If you want to check if your login credentials details and password are secure and have not been compromised, visit the 'Have I Been Pwned' (HIBP) website. In case you discover that your passwords have been compromised, you're advised to change your login details immediately on the breached websites, as well as any other website that uses the exposed passwords.

Users should ensure that they diversify the passwords they use on different online services rather than using the same password across multiple platforms.

In addition, password managers can help by generating new random passwords for different services, reducing password re-use.

Users are also advised to take advantage of multi-factor authentication, requiring them to provide more than one piece of evidence to verify their identity during logins.

In August, the UK's National Cyber Security Centre (NCSC) advised the public to use three random yet memorable words to create passwords, instead of using complicated variations containing a series of random characters.

According to the NCSC, passwords created using three random words are usually longer and difficult to be predicted by hacking algorithms. Another advantage of using three-word passwords is that people can easily remember them and store them in a secure location, such as a password manager.