Troy Hunt expands collection of leaked passwords to half a billion

Security researcher Troy Hunt, known for his site Have I Been Pwned, has expanded his existing dataset of 306 million leaked passwords with another 200 million passwords. Organizations can use these lists to verify passwords.

His collection is called Pwned Passwords and makes the passwords available in hashed form. This is done on the basis of the sha-1 algorithm, which is admittedly not particularly secure, but according to Hunt is sufficient to prevent the plaintext passwords from being easily retrieved. The total database contains 8.8GB of passwords and also contains a counter that indicates per password how often this occurs in the total collection of the researcher. For example, ‘abc123’ occurs more than 2.5 million times, Hunt writes in a blog post.

In it, he goes on to explain that the added passwords came mainly from the Onliner spam bot dump, which consisted of about 711 million records and contained passwords in addition to email addresses. In addition, he used a collection of 1.4 billion plaintext credentials, which were doing the rounds on the dark web some time ago, but were already available via torrent links on Reddit before that. That collection was composed of several data breaches.

The new collection, labeled as V2, is available to download directly or via torrent. Hunt calls on people to do the latter, because hosting the dataset is expensive. In addition, the researcher has updated his api page with information on how to read the new dump. The web service, which came online with the first variant, can still be used. Hunt is making the passwords available in the hopes that organizations running a website, for example, will use them to warn people using a password that has already been leaked. It is not recommended to enter a password that is still actively used anywhere, Hunt warns.

The online version of Pwned Passwords with input ‘hunter2’