Following an investigation with Have I Been Pwned, a website that indexes security vulnerability data or HIBP, the UK's National Crime Agency (NCA) disclosed more than 585 million compromised passwords. After the FBI launched a similar collaboration with HIBP in May, the NCA became the second law enforcement agency to officially provide hacking passwords to HIBPs.
HIBP creator Troy Hunt said in a blog post today
The 225 million compromised passwords discovered by NCA are new and unique. These passwords have been added to a section of the HIBP website called Pwned Passwords. This section allows companies and system administrators to check and see if their current passwords have been compromised in hacks and whether they have the potential to be part of a public list used by threats in brute force attacks and password spray attacks.
Currently, the HIBP Pwned Passwords collection includes 5.5 billion entries, of which 847 million are unique. All of these passwords are available for free download, so companies can check their passwords locally against the dataset without having to connect to Hunt's service.
In a statement shared by Hunt, the NCA said it found the compromised password in an account at a U.K. cloud storage facility, paired with an email account. The NCA told Hunt: "Through the analysis, it is clear that these credentials are the accumulation of known and unknown corrupted datasets."