Dec 21, 2021 14:00:00

The National Crime Agency of the United Kingdom shares more than 585 million passwords with the personal information leakage confirmation site 'Have I Been Pwned?'

On December 20, 2021, Troy Hunt, the developer of the

website 'Have I Been Pwned? (HIBP) ' that can confirm the leakage of personal information, was investigated by the British National Crime Countermeasures Agency (NCA). I shared with HIBP more than 585 million passwords I found inside. '

Troy Hunt: Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live!
https://www.troyhunt.com/open-source-pwned-passwords-with-fbi-feed-and-225m-new-nca-passwords-is-now-live/

UK govt shares 585 million passwords with Have I Been Pwned
https://www.bleepingcomputer.com/news/security/uk-govt-shares-585-million-passwords-with-have-i-been-pwned/

The NCA shares 585 million passwords with Have I Been Pwned --The Record by Recorded Future
https://therecord.media/the-nca-shares-585-million-passwords-with-have-i-been-pwned/

HIBP is a website where you can use your password, email address, and phone number to check if your Internet service account information has been leaked. Initially, it only supported searches by email address or ID, but from 2018, we are also developing a service called 'Pwned Passwords' that can match passwords with past leaked data. Enterprises and system administrators can use Pwned Passwords to check if passwords have been compromised, such as by hacking, and to see if they are at risk of being used in brute force attacks or password spray attacks. is.

'Pwned Passwords', a service that allows you to check whether your password is dangerous in the past leaked data for free --GIGAZINE

In recent years, HIBP has been working to update the 'List of Infringed Passwords' based on information provided by law enforcement agencies, which was owned by the Federal Bureau of Investigation (FBI) in May 2021. The leaked password data has been added .

And in a blog post on December 20, Hunt announced that following the FBI, the NCA in the United Kingdom shared a total of more than 585 million 'passwords compromised by someone' with HIBP. When Mr. Hunt imported and analyzed the password data shared by NCA, it was found that more than 225 million of the approximately 585 million cases were not on the list so far.

In the latest release of Pwned Passwords at the time of writing, the total number of 'infringed passwords' on the list was about 5.58 billion, of which 847 million were unique. matter.

According to a comment sent by NCA to Mr. Hunt, the 'potentially compromised credentials (email address and password)' shared this time were discovered at a cloud storage facility in the United Kingdom. Analysis revealed that these credentials were known and unknown compromised datasets.

'The fact that these data were placed in a UK business cloud storage facility by an unknown criminal actor means that the credentials are currently in the public domain, and this data is due to further fraud and cybercrime. The identified credentials could not be attributed to one company or platform, so the NCA's National Cybercrime Unit (NCCU) said 'Have I Been Pwned ( We have teamed up with Troy Hunt, the developer and CEO of HIBP), 'said NCA.