Lock icon and login screen on laptop showing compromised passwords on Have I Been Pwned

UK Law Enforcement Shares 585 Million Compromised Passwords With “Have I Been Pwned” Website, 225 Million Are New

United Kingdom law enforcement has shared over half a million compromised passwords found in cloud storage with Have I Been Pwned, the leading site for safely checking if login credentials have been compromised.

The headline item is that over one-third of these passwords (about 225 million) have not been logged before, a number that is three times the population of the entire UK.

Hundreds of millions of new compromised passwords hit dark web, become publicly available

The trove of compromised passwords comes from a cloud storage facility seized by the UK National Crime Agency (NCA). The agency believes that the password set was compiled from various data breaches, but about 225 million of them were not previously known to Have I Been Pwned and may have come from previously unknown hacks. The NCA is not presently attributing any of the compromised passwords to any specific breaches. However, some were found paired with email accounts.

The NCA believes that the compromised passwords are available in the public domain given the amount and breadth of the compilation, an idea supported by the fact that more than half were already known to Have I Been Pwned. Given the massive amount, cyber security experts are recommending that all internet users check the site to see if any of their logins have been compromised.

Though Have I Been Pwned is a trusted name in checking for compromised passwords (and is used for that purpose by 27 national governments around the world), it is quite rare for law enforcement agencies to share the stolen logins they recover with any private entity. This is only the second time it has happened; the FBI established an ongoing relationship with the site in May of this year. The general public is able to use the “Pwned Passwords” section of the Have I Been Pwned site to see if a password has been compromised without connecting it to an email address or username; administrators can also download a raw list of passwords for local checks when new accounts are set up or passwords are changed.

Even if compromised passwords are not linked to email addresses or other identifying information, they are still put to use in “brute force” and “password spray” attacks that simply try potentially relevant segments of these giant lists against known usernames or email logins. The Have I Been Pwned site does not link compromised passwords to other login information at the user end, but allows either element to be searched to determine if it has appeared in a known breach.

Have I Been Pwned password list expands to over 5 billion entries, 847 million unique passwords

Founded in 2013, Have I Been Pwned was created primarily in response to the massive breaches of Adobe, Yahoo Voices and Sony that had happened shortly before. The site’s policy is to add compromised passwords to its database as soon as possible after they become publicly visible so that users can be warned.

The new compromised passwords provided from the NCA now comprise about 1/4 of Have I Been Pwned’s database of original entries. The password dump from the UK represented a 38% growth for this particular segment of the database. It would be nice to know more about who collected the passwords and where they originate from, but the NCA is declining to provide further details for now.

While the 5.5 billion compromised passwords in the Have I Been Pwned database are comprised of quite a few repeats, and while the average internet user now has about 100 accounts that require a login (ideally each with unique passwords), the number of unique passwords in the database is now pushing 1 billion. Continued pipelining of information from the FBI and NCA will likely move that number to over 1 billion at some point. With a total internet-using world population of about 5 billion, it could be the case that roughly one out of five passwords in use has been compromised and made available to the public at some point.

Some, such as Baber Amin, COO at Veridium, see the inevitable answer to this as the end of the password entirely: “It points to the sheer size of the problem, the problem being passwords, an archaic method of proving one’s bonafides. If there was ever a call to action to work towards eliminating passwords and finding alternates, then this has to be it … with the help of AI based analytical tools, the bad actors can start to identify patterns of how a person creates passwords.” But some of these proposed alternate solutions, such as biometric identification, could potentially threaten privacy and internet anonymity.

Ron Bradley, VP of Shared Assessments, is of the opinion that passwords are still a viable form of security so long as users practice better hygiene (and potentially make use of a password manager):

“Working from the premise that the Internet is becoming more hostile and difficult to navigate on a daily basis, it sometimes reminds me of the warning light on the dashboard of your car that’s been on for so long you literally no longer see it. So, on the fifth anniversary of Ron’s Yearly Resolutions (I’m making that up, but have been saying the same thing for years), here’s the short list:

  • Buy and use a versatile password manager (free is fine, but you get what you pay for)
  • Turn on Multi-factor Authentication everywhere possible (especially apps that move money)
  • Be a part of the 1%’ers that have no idea what their bank password is because it’s too long and complex
Trove of compromised #passwords comes from a #cloud storage facility seized by the UK NCA who believes that the password set was compiled from various #databreaches. #cybersecurity #respectdataClick to Tweet

Resolutions come and they go, and are easily broken, so start small. Resolve yourself to adding one single important account to your password manager and the rest will follow. Don’t be afraid of the password reset function if a password is somehow mangled, that’s what the feature is there for. Keep your work passwords as far apart from your personal passwords as possible. Lastly, assume you’ve been pwned and protect yourself accordingly.”


Senior Correspondent at CPO Magazine