Have I Been Pwned working with FBI to maximise online password breach information

The site has also become open source, ensuring the code can be examined for security issues.
The site has also become open source, ensuring the code can be examined for security issues Photo credit: Getty Images

A website that allows anyone to identify if their internet security has been compromised has announced it is working with the FBI to maximise password breach information.

Have I Been Pwned (HIBP) gets close to one billion requests per month from people checking to see if emails, passwords and mobile phone numbers have been leaked on the internet.

Visitors type in their details and the site lists any and all indexed incidents where that data has been unintentionally exposed publicly. Users can also sign up to be emailed if or when their details are next made available online.

Password managers like LastPass and 1Password also offer password leak notifications.

The new partnership will ensure any compromised passwords the FBI finds during its investigations are added to HIBP - which already contains billions of pieces of information.

In a blog post, HIBP creator Troy Hunt said the partnership should mean the timely introduction of freshly compromised passwords to the database.

"Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised," he said.

Bryan A Vorndran, Assistant Director of the FBI's cyber division, said the deal was an example of how important public/private partnerships were in the fight against cybercrime.

"We are excited to be partnering with HIBP on this important project to protect victims of online credential theft," he told Hunt.

Hunt also announced that the site was now open source, meaning the code has been released under license allowing anyone the right to use it. It also means programmers can examine the code to make sure there are no security issues.

"It's now an important part of many online services and this move ensures that anybody can run their own Pwned Passwords instance if they so choose," Hunt wrote.

"My hope is that this encourages greater adoption of the service both due to the transparency that opening the code base brings with it and the confidence that people can always "roll their own" if they choose."