The UK National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have discovered a 225 million cache of stolen emails and passwords and handed them to HaveIBeenPwned (HIBP), the free service for tracking credentials stolen and/or leaked through past data breaches.
The 225 million new passwords become a part of HIPB’s existing body of 613 million passwords in the Pwned Passwords set, which offers website operators a hash of the passwords to ensure users don’t use them when creating a new account. Individuals can use HIPB’s Pwned Password page to see whether their passwords have been leaked in previous breaches.
The service helps organizations meet the NIST’s recommendation that users should be prevented from using any password that was previously exposed in a breach. That requirement aims to address the increasing use of “credential stuffing”, where criminals test large lists of leaked and commonly-used username and password combinations against various online accounts.
The technique has been used to compromise 50,000 online bank accounts since 2017, the FBI warned last year, and works because many people still use the same password