A quarter-billion of those passwords were not seen in previous breaches that have been added to Have I Been Pwned.
According to the National Crime Agency’s National Cyber Crime Unit in the U.K., nearly 586 million sets of credentials had been collected in a compromised cloud storage facility, free for the taking by any cybercrime yahoo who happened to stop by.
The credentials were a mixed bag in terms of sources, and it’s not clear how these passwords became compromised. But because they couldn’t be linked to a specific company, the NCA tapped Troy Hunt, creator of the Have I Been Pwned (HIBP) website and a Microsoft regional director, to check the passwords against the HIBP database of compromised passwords.
It turns out that 226 million of them were new to HIBP, which was an already comprehensive resource containing 613 million pwned passwords.
“Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown,” the NCA said in a statement provided to Hunt. “The fact that they had been placed on a U.K. business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain,