Have I Been Pwned (HIBP) has made it easier for law enforcement to share compromised data, starting with over 225 million passwords from the UK National Crime Agency (NCA).
For the unfamiliar: HIBP is a platform devoted to helping people find out if their personal data has been posted somewhere on the dark web. That way if someone has indeed been pwned they can take action—change their password, replace their credit card, etc.—rather than remaining unaware of the fact that someone has stolen their personal data.
The ability to search for potentially compromised data would make HIBP useful enough. But it also provides an API called Pwned Passwords that companies use to check the platform's database of stolen information. This lets people stay informed through no effort of their own, and a new ingestion pipeline is likely to make the offering that much more powerful.
“This pipeline enables the ingestion of passwords from law enforcement agencies, like the FBI,” HIBP creator Troy Hunt says in a blog post. “The premise is simple: during the course of their investigations, they come across a lot of compromised passwords and if they were able to continuously feed those into HIBP, all the other services out there using Pwned Passwords would be able to better protect their customers from account takeover attacks.”
As to whether or not law enforcement agencies will actually use that ingestion pipeline, well, that's where the NCA comes in. Hunt says the agency shared hundreds of millions of passwords, although he notes that “there were already 613M of them in the live Pwned Passwords service (and many millions more in my local working copy waiting for the next release).”
Recommended by Our Editors
Despite those duplicates, the NCA-provided data included 225,665,425 new passwords, which have already been added to Pwned Passwords. Companies using the API—the likes of which includes password manager providers, browser makers, etc.—can now check to see if the credentials they're managing for their users have been compromised in some way.
“Today's release brings the total Pwned Passwords count to 847,223,402, a 38% increase over the last version,” Hunt says. “More significantly, if we take the prevalence counts into consideration that's 5,579,399,834 occurrences of a compromised password represented in this corpus.”
Like What You're Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba