National crime authorities in the UK and US have committed to providing compromised passwords they find during the course of their crime-fighting everyday work to Have I Been Pwned (HIBP), a popular website to check compromised login credentials.
The UK's National Crime Agency (NCA) donated more than 225 million passwords it had stored after detecting them through the course of their normal work, growing HIBP's bank of hacked passwords by more than a third.
Prior to the NCA's donation, HIBP stored 613 million compromised passwords in its database. The NCA offered up a bank of passwords more than 585 million-strong and after parsing out the duplicates, Troy Hunt, owner of the website, found a little more than 225 million passwords that weren't currently in his database.
Speaking to Hunt, the NCA said the donated passwords were found in a UK business' cloud storage facility and were an accumulation of datasets both known and unknown. It meant the compromised credentials were now in the public domain but couldn't be attributed to any company or platform which is why the agency engaged HIBP.
Hunt also announced the FBI will now be collaborating with HIBP with an injection pipeline into the site. The FBI has been helping HIBP build an open source tool that allows law enforcement and crime-fighting agencies like the FBI and NCA to feed compromised credentials directly into the HIBP website via an injection pipeline.
RELATED RESOURCE
Hunt transitioned the site into a .NET framework earlier this year which allowed him to build the pipeline, a tool that hopes to make it easier for law enforcement to donate more passwords in the future.
"Today's release is about turning on the firehose of new passwords and making them immediately available to everyone for free," said Hunt, announcing the news on his blog. "Having this open to the community, owned by the community and supported by the FBI and NCA is an enormously pleasing result, and I couldn't be happier than to end the year on this note"
HIBP is a website that allows users to query its database with their email addresses and passwords to check if their credentials have been included in data breaches. When checking email addresses, the website will inform users of what company's data breach in which their email address was compromised.
Its password checker also tells users how many times their password has been seen after being included in a data breach and provide guidance on how to change passwords and manage new ones.
A growing bank of data allows HIBP to be more useful to consumers and businesses, and makes stolen credentials less useful in the hands of criminals.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
I love magic links – why aren’t more services using them?Opinion Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
-
Password management startup Passbolt secures $8 million to shake up credential securityNews Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round.
-
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrencyNews The hackers behind the LastPass breach are on a rampage two years after their initial attack
-
GitHub launches passkeys beta for passwordless authenticationNews Users can now opt-in to using passkeys, replacing their password and 2FA method
-
Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectorsNews Database admins are advised to enforce better controls as attacks ending in ransomware are being observed
-
No, Microsoft SharePoint isn’t cracking users’ passwordsNews The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
