British police give Have I Been Pwned 226 million new passwords
The National Cyber Crime Unit, part of the UK’s National Crime Agency, has shared nearly 586 million passwords with Have I Been Pwned. Of these, nearly 226 million were new to HIBP. In addition, the FBI can now enter passwords directly into HIBP’s database.
The NCCU has found millions of passwords on an unnamed UK cloud storage service during an investigation into criminal activity. These passwords were linked to email addresses and were a collection of ‘known and unknown datasets’. It is unknown who placed this data on the cloud storage service. However, this data could be accessed by criminals to commit fraud, for example.
Because the passwords did not belong to one victim, platform or company, the NCCU chose to share them with the Have I Been Pwned website so that as many victims as possible could be informed about the theft. The file contained 585,570,857 passwords, compared to 613 million passwords in the Pwned Passwords service at the time. Among those 586 million passwords, 225,665,425 were unique to Have I Been Pwned. These are now also included in the Pwned Passwords database.
These passwords are now available in the Pwned Passwords API, among other things, which other organizations can also use to implement in their services. For example, websites can add the api to a registration form, so that the website owner can prevent a user from reusing a previously leaked password.
Troy Hunt, administrator of HIBP, also announces that the previously announced link between the FBI and this API has now been completed. Now when the FBI finds passwords, they can be imported directly into the api. This ingestion pipeline is open source developed. Hunt wants the entire codebase of Have I Been Pwned to be open source.