UK National Crime Agency Shares 585 Million Compromised Passwords with Have I Been Pwned

The UK’s National Crime Agency (NCA) has provided the data breach aggregator Have I Been Pwned (HIBP) with a collection of 585 million compromised passwords discovered during an investigation. This marks the second such collaboration: earlier in 2021, the FBI also partnered with HIBP, gaining the ability to directly upload compromised passwords to the service’s database. At that time, it was reported that law enforcement would provide passwords as SHA-1 and NTLM hashes, not in plain text, ensuring that no personal user data would be visible.

Now, HIBP creator and head Troy Hunt has announced a similar agreement with UK authorities. The NCA has already transferred over 550 million breached passwords to HIBP, with about 225 million of them being unique and previously unknown to the database.

According to Hunt, the NCA found these compromised passwords (along with email addresses) in an account stored in an unnamed cloud storage service in the UK. The agency stated that it was unable to determine whether the compromised password and email combinations were linked to any specific platform or company.

“The fact that these credentials were placed in the cloud storage of a UK company by unknown criminals means that they are publicly accessible and could be used by third parties to commit fraud and other cybercrimes,” the NCA warned.