NCA donates 225 million passwords to Have I Been Pwned

Password is seen in a maginfying glass written in green text while surrounded by binary code written in blue text
(Image credit: Shutterstock)

National crime authorities in the UK and US have committed to providing compromised passwords they find during the course of their crime-fighting everyday work to Have I Been Pwned (HIBP), a popular website to check compromised login credentials.

The UK's National Crime Agency (NCA) donated more than 225 million passwords it had stored after detecting them through the course of their normal work, growing HIBP's bank of hacked passwords by more than a third.

Prior to the NCA's donation, HIBP stored 613 million compromised passwords in its database. The NCA offered up a bank of passwords more than 585 million-strong and after parsing out the duplicates, Troy Hunt, owner of the website, found a little more than 225 million passwords that weren't currently in his database.

Speaking to Hunt, the NCA said the donated passwords were found in a UK business' cloud storage facility and were an accumulation of datasets both known and unknown. It meant the compromised credentials were now in the public domain but couldn't be attributed to any company or platform which is why the agency engaged HIBP.

Hunt also announced the FBI will now be collaborating with HIBP with an injection pipeline into the site. The FBI has been helping HIBP build an open source tool that allows law enforcement and crime-fighting agencies like the FBI and NCA to feed compromised credentials directly into the HIBP website via an injection pipeline.


Busting the myths about SSO

Why SSO capability is critical to the success of IAM


Hunt transitioned the site into a .NET framework earlier this year which allowed him to build the pipeline, a tool that hopes to make it easier for law enforcement to donate more passwords in the future.

"Today's release is about turning on the firehose of new passwords and making them immediately available to everyone for free," said Hunt, announcing the news on his blog. "Having this open to the community, owned by the community and supported by the FBI and NCA is an enormously pleasing result, and I couldn't be happier than to end the year on this note"

HIBP is a website that allows users to query its database with their email addresses and passwords to check if their credentials have been included in data breaches. When checking email addresses, the website will inform users of what company's data breach in which their email address was compromised.

Its password checker also tells users how many times their password has been seen after being included in a data breach and provide guidance on how to change passwords and manage new ones.

A growing bank of data allows HIBP to be more useful to consumers and businesses, and makes stolen credentials less useful in the hands of criminals.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.