top of page
GenerativeAI_728x90 (4).png


  • Matthew Spencer - Tech Journalist

225 million unexposed passwords discovered by the UK National Crime Agency

The UK National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) found a stash of 225 million stolen passwords. Have I Been Pwned (HIBP) made the process of sharing compromised data easy and checking for relative breaches quickly.

HBIP is a platform made to find vulnerable web addresses or emails with a few clicks. It reflects mass-generated passwords and stored information on the dark web, letting users know if their email or data is compromised. A general suggestion for those users is to change the password, enable two-factor authentication (F2A) and other necessary information regarding the breach. Though it's not clear if the password is breached or not, it can just be on a list of stored emails on vulnerable storage.

As the UK agency found 225 million vulnerable passwords, HIBP stored those data on their platform's back end so users could find out about their situation much quickly. The collaboration is pretty straightforward and excellent, to be honest.

The UK's National Crime Agency (NCA) donated HIBP as a general procedure for detecting and growing HIBP's storage of hacked passwords. It raised more than a third compering to the previous state of HIBP's password bank.

We can type in passwords, email, phone numbers in the HIBP's search bar to determine how many times those data appeared in breaches. There were significant leaks such as the 2012 LinkedIn breach, 2019 for Canva, and similar occurrences, which can be found in HIBP's database.

Hunt announced the FBI collaboration of feeding the compromised password stream of HIBP for the growing collection. Users of the platform find the use case very easy and give them a breath of confidence in their data. Appearing on the HIBP database is not the end of the world.

The recommendation for password breaches is to change them to something lengthy without putting in something guessable. Include numbers into the mix, some symbols, a combination of upper case and lower-case letters. Using a password manager to generate a strong password randomly is a great idea. Putting a solid password in a lengthy process can hugely benefit password managers.

On the release note, Hunt said, "Today's release is about turning on the firehose of new passwords and making them immediately available to every for free."

HIBP reports that in April 2021, over 500 million Facebook users' data was made freely available for download; that's approximately 20 per cent of uses. In October, 50,000 unique email addresses were exposed, including name, physical address, passport numbers, passwords, phone numbers, MD5 hashes and other sensitive data.

The support of the FBI and NCA is enormously pleasing, according to Hunt, as it made the process of making data accessible to general people easy. HIBPs growing bank of information allows customers and businesses to be aware of breaches easily.

Though the pipeline remains open and will continue to do so, it is still questionable whether government agencies will do a similar trait in the coming days. According to Hunt, hundreds of millions of passwords were shared through "613 million of the live Pwned Password service."

Of course, there were duplicates, as the number of this scale can get a bit dingily, but NCA provided 225,665,435 new passwords. They were promptly added to HSBP's password bank. Companies such as password managers browser makers use the HIBP API to find if credentials are exposed or not. At the moment, if you go to your saved passwords tab in the browser, chances are if any of them are told, there will be a sign for you to change them immediately.

Lasted addition of password grew HIBPs password bank to 38 per cent, totalling 847,223,402 compromised passwords.


bottom of page