Half a billion stolen credentials were discovered in a compromised cloud storage facility, according to the National Crime Agency’s National Cyber Crime Unit in the U.K.
Since the data came from various sources and couldn’t be linked to a specific company or organization, the agency contacted independent security researcher Troy Hunt to check whether the credentials matched some of the contents of Have I Beed Pwned. Apparently, 226 million of them were new to Hunt’s database, which at that moment contained 613 million breached passwords in total.
NCA and Troy Hunt Collaborated, Final Version of Pwned Passwords Data Now Available
“Working in collaboration with the NCA, I imported and parsed out the data set against the existing passwords, I found 225,665,425 completely new instances out of a total set of 585,570,857. As such, this whole set (along with other sources I’d been accumulating since November last year) has all been rolled into a final version of the manually released Pwned Passwords data,” Hunt wrote in a blog post.
Analysis revealed that the credentials were an accumulation of both known and unknown breached datasets. “The fact that they had been placed on a U.K. business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other third parties to commit further fraud or cyber-offenses,” the NCA said in a statement shared with Hunt.
Since the passwords are now added to Have I Been Pwned database, they are now searchable and potential victim can verify the security risk of a password.
A compromised password hides numerous risks. Current technologies, such as AI-based analytical tools can identify patterns of how a user creates passwords.
Last month, GoDaddy domain registrar was hit by another large-scale data breach, which also affected GoDaddy resellers, including 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. An unknown threat actor used a compromised password to gain a foothold in the provisioning system in the company’s legacy code base for Managed WordPress.