The UK National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have discovered a 225 million cache of stolen emails and passwords and handed them to HaveIBeenPwned (HIBP), the free service for tracking credentials stolen and/or leaked through past data breaches.
The 225 million new passwords become a part of HIPB’s existing body of 613 million passwords in the Pwned Passwords set, which offers website operators a hash of the passwords to ensure users don’t use them when creating a new account. Individuals can use HIPB’s Pwned Password page to see whether their passwords have been leaked in previous breaches.
The service helps organizations meet the NIST’s recommendation that users should be prevented from using any password that was previously exposed in a breach. That requirement aims to address the increasing use of “credential stuffing”, where criminals test large lists of leaked and commonly-used username and password combinations against various online accounts.
The technique has been used to compromise 50,000 online bank accounts since 2017, the FBI warned last year, and works because many people still use the same password to protect multiple accounts; if any of those accounts protected with the common password was breached, the person’s other accounts become vulnerable to credential stuffing.
The technique became a problem a decade ago after billions of credentials were leaked online following major data breaches, giving attackers huge credential data sets to test against accounts of varying importance, ranging from online game accounts to bank accounts and employee accounts.
NCA and NCCU came across the cache of stolen credentials at a compromised but unnamed cloud storage facility.
“During recent NCA operational activity, the NCCU’s [email protected] team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility,” the NCA said in a statement to HIPB.
“Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown. The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences.”
The NCA told the BBC that last year working with UK police it identified that there had been a compromise of a UK organisation’s cloud storage facility, leading to over 40,000 files being uploaded to their servers by cyber criminals. Among these files was the collection of compromised emails and passwords.
NCA handed the compromised passwords to HIBP’s operator, Troy Hunt, who verified NCCU’s findings that the passwords were not in the existing Pwned Passwords data set. New passwords included in the cache he said included:
“The NCCU’s [email protected] team conducted a comparison of the compromised data against the HIBP password repository to identify any previously unseen passwords now in the public domain,” NCA said.
Organisations can download the hashed data set in SHA-1 format in a compressed 17.2GB file. It’s the first version to include a regularly updated list of compromised credentials that law enforcement, such as the FBI, discover during investigations.
Hunt stressed the passwords supplied to HIPB by the FBI and NCA are not for his service but for the community, since it can be used by anyone to meet NIST’s recommendations to mitigate credential stuffing.
“Today’s release brings the total Pwned Passwords count to 847,223,402, a 38% increase over the last version. More significantly, if we take the prevalence counts into consideration that’s 5,579,399,834 occurrences of a compromised password represented in this corpus,” explains Hunt.