UK law enforcement has donated a tranche of 225 million unique passwords to a cyber-security project helping to protect users from hacking.
The National Crime Agency (NCA) recovered the database from cyber-criminals who had collected real users’ email addresses and passwords.
That list has been added to free online service Have I Been Pwned (HIBP).
It lets anyone search through hundreds of millions of passwords to see if theirs is in the hands of criminals.
Troy Hunt, the security researcher who runs the site, announced on Friday that it now has a “pipeline” function for law enforcement to add passwords they have recovered to the service.
“The premise is simple,” he wrote in a blog post.
“During the course of their investigations, they come across a lot of compromised passwords, and if they were able to continuously feed those into HIBP, all the other services out there using Pwned passwords would be able to better protect their customers from account takeover attacks.”
An account takeover attack is when a hacker gains the username and password for an online service and is able to take control of it.
Mr Hunt said the US FBI and UK’s NCA will now be able to contribute using the open-source systems his team has built. He gave a special thanks to the NCA for the “donation” of 225 million new passwords.
“Before today’s announcement, there were already 613 million passwords in the live Pwned Passwords service, so the NCA’s corpus represents a significant increase in size,” he wrote.
“Working in collaboration with the NCA, I found 225,665,425 completely new passwords. Now every single one of those NCA passwords is searchable.”
The NCA is now encouraging people to search for their own passwords on the website.
If your password appears in the database, then it is in the hands of cyber-criminals and you should change it.
Chris Lewis-Evans, from the NCA’s National Cyber Crime Unit, said that the huge list of compromised passwords came from the largest set the NCA had ever recovered – more than two billion email and password pairs.
“Last year the NCA, working with UK policing, identified that there had been a compromise of a UK organisation’s cloud storage facility, leading to over 40,000 files being uploaded to their servers by cyber-criminals,” he said – without identifying which cloud provider was involved.
“After the financial and other identifiable personal data was mitigated, officers were left with a large set of credentials which could not be attributed to specific data breaches,” he said.
Those 225 million passwords made up the “donation” to HIBP.
Cyber-attacks “often” end with personal data such as passwords – as well as financial and other personal information – being stolen, he said. Criminals then sell on this data to others to commit fraud.
Making these passwords searchable for those trying to keep their accounts secure would “significantly” limit how useful they are to criminals, he said.