The NCA shares 585 million passwords with Have I Been Pwned

The UK National Crime Agency has shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned, a website that indexes data from security breaches.

The NCA now becomes the second law enforcement agency to officially supply HIBP with hacked passwords after the US Federal Bureau of Investigations began a similar collaboration with the service back in May.

In a blog post today, Troy Hunt, HIBP creator Troy Hunt said that 225 million of the compromised passwords found by the NCA were new and unique.

These passwords have been added to a section of the HIBP website called Pwned Passwords. This section allows companies and system administrators to check and see if their current passwords have been compromised in hacks and if they are likely to be part of public lists used by threat actors in brute-force and password-spraying attacks.

Currently, the HIBP Pwned Passwords collection includes 5.5 billion entries, of which 847 million are unique. All these passwords are also available as a free download, so companies can check their passwords against the data set locally without connecting to Hunt's service.

In a statement shared by Hunt, the NCA said it found the compromised passwords, paired with email accounts, in an account at a UK cloud storage facility.

"Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown," the NCA told Hunt.

The NCA said they weren't able to determine or attribute the compromised email and password combos to any specific platform or company.

"The fact that they had been placed on a UK business's cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences," the agency added, justifying its decision to share the data with Hunt.

HIBP is currently integrated and used by 27 governments across the world to test user accounts and identify when their details leak and enter the public domain.