22 December 2021

The UK National Crime Agency discovers over 500 million stolen passwords online


The UK National Crime Agency discovers over 500 million stolen passwords online

The UK’s National Crime Agency and National Cyber Crime Unit have discovered a colossal trove of stolen passwords and contributed the collection to the Have I Been Pwned (HIBP) service that allows users check if their login information has leaked online.

According to Troy Hunt, a founder of HIBP, the agency handed over a total of 585,570,857 passwords, of which 225,665,425 were found to be unique. With the Have I Been Pwned's database already containing 613 million credentials, this newest addition brings the total number up to around 847 million.

In a statement sent to Hunt the NCA explained how it found the massive collection of compromised passwords.

“During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown,” the agency said.

“The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences.”

Hunt also said that HIBP was working with the FBI to create an “ingestion pipeline” that allows law enforcement agencies to feed compromised credentials directly into the HIBP website.


Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021