FBI to Upload Compromised Passwords Directly to Have I Been Pwned

Australian security researcher and founder of the Have I Been Pwned (HIBP) service, Troy Hunt, has announced that the U.S. Federal Bureau of Investigation (FBI) will be granted direct access to upload compromised passwords to the HIBP website. FBI specialists will add data to the Pwned Passwords section of the site as soon as passwords are discovered during investigations.

The FBI will provide passwords in the form of SHA-1 and NTLM hashes, not in plain text. No personal user data will be disclosed.

Until now, compromised passwords in the service were provided by security researchers and anonymous informants. The FBI has become the first official external source to supply data for HIBP’s Pwned Passwords.

Open Source Announcement Coincides with FBI Partnership

The announcement of the HIBP and FBI collaboration came on the same day that Hunt open-sourced the Pwned Passwords component. According to Hunt, this is purely coincidental, and the FBI did not require him to open the HIBP source code. The code, now available on GitHub, will be transferred to the .NET Foundation. Additionally, Hunt stated that the code for the main HIBP data breach index will also be open-sourced in the future.

Additional Information

• HIBP is a popular service for checking if your email or password has been exposed in a data breach.