Register now for better personalized quote!

Police found 225 million stolen passwords hidden on a hacked cloud server. Is yours one of them?

Dec, 21, 2021 Hi-network.com

The UK National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have discovered a 225 million cache of stolen emails and passwords and handed them to HaveIBeenPwned (HIBP), the free service for tracking credentials stolen and/or leaked through past data breaches. 

The 225 million new passwords become a part of HIPB's existing body of 613 million passwords in the Pwned Passwords set, which offers website operators a hash of the passwords to ensure users don't use them when creating a new account. Individuals can use HIPB's Pwned Password page to see whether their passwords have been leaked in previous breaches.

Recommends

  • Best VPN services
  • Best security keys
  • Best antivirus software
  • The fastest VPNs

The service helps organizations meet the NIST's recommendation that users should be prevented from using any password that was previously exposed in a breach. That requirement aims to address the increasing use of "credential stuffing", where criminals test large lists of leaked and commonly-used username and password combinations against various online accounts. 

SEE:Hackers are turning to this simple technique to install their malware on PCs

The technique has been used to compromise 50,000 online bank accounts since 2017, the FBI warned last year, and works because many people still use the same password to protect multiple accounts; if any of those accounts protected with the common password was breached, the person's other accounts become vulnerable to credential stuffing. 

The technique became a problem a decade ago after billions of credentials were leaked online following major data breaches, giving attackers huge credential data sets to test against accounts of varying importance, ranging from online game accounts to bank accounts and employee accounts. 

NCA and NCCU came across the cache of stolen credentials at a compromised but unnamed cloud storage facility. 

"During recent NCA operational activity, the NCCU's Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility," the NCA said in a statement to HIPB. 

"Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown. The fact that they had been placed on a UK business's cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences."

The NCA told the BBC that last year working with UK police it identified that there had been a compromise of a UK organisation's cloud storage facility, leading to over 40,000 files being uploaded to their servers by cyber criminals. Among these files was the collection of compromised emails and passwords.

NCA handed the compromised passwords to HIBP's operator, Troy Hunt, who verified NCCU's findings that the passwords were not in the existing Pwned Passwords data set. New passwords included in the cache he said included: 

  • flamingo228
  • Alexei2005
  • 91177700
  • 123Tests
  • aganesq

"The NCCU's Mitigation@Scale team conducted a comparison of the compromised data against the HIBP password repository to identify any previously unseen passwords now in the public domain," NCA said.

Organisations can download the hashed data set in SHA-1 format in a compressed 17.2GB file. It's the first version to include a regularly updated list of compromised credentials that law enforcement, such as the FBI, discover during investigations.   

Hunt stressed the passwords supplied to HIPB by the FBI and NCA are not for his service but for the community, since it can be used by anyone to meet NIST's recommendations to mitigate credential stuffing. 

This is a cool headline, but journos are missing something really important when they say the @NCA_UK or @FBI is giving either @haveibeenpwned or myself passwords; they're giving **the community** passwords https://t.co/MtIr2pYuRD

- Troy Hunt (@troyhunt) December 20, 2021

"Today's release brings the total Pwned Passwords count to 847,223,402, a 38% increase over the last version. More significantly, if we take the prevalence counts into consideration that's 5,579,399,834 occurrences of a compromised password represented in this corpus," explains Hunt. 

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.