UK National Crime Agency finds hundreds of millions of compromised passwords online

An illustration of a username and password on the internet
The data has been made available for users to check their password. Photo credit: Getty Images

The UK's National Crime Agency (NCA) has identified hundreds of millions of compromised usernames and passwords on the internet and made them available for potential victims to check.

The NCA provided the details to Have I Been Pwned (HIBP), a website that allows individuals and companies to quickly identify if their credentials are among them.

According to HIBP, in the last month more than 1.2 billion requests have been made to the website's database.

The NCA told HIBP the compromised information came during an operation at a cloud storage facility.

"Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown," it said.

"The fact that they had been placed on a UK business's cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other third parties to commit further fraud or cyber offences."

The NCA data contained over 585 million compromised passwords. That was compared against HIBP's database of 613 million passwords and around 226 million were found to be new and added to the database.

In May this year, HIBP announced it was partnering with the FBI to add any usernames and passwords it finds during investigations to the database.

"Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised," HIBP founder Troy Hunt said.

Hunt said the latest release is about "turning on the firehose of new passwords and making them immediately available for free".

HIBP is an open source website, meaning the code has been released under license allowing anyone the right to use it. It also means programmers are able to examine the code to make sure there are no security issues.

Users can sign up on the website to be emailed if or when their details are made available online, while password managers like LastPass and 1Password also offer password leak notifications.

Anyone wanting to check whether the tranche of passwords found by the NCA contained their details, can check on the passwords section of the website.