According to the National Crime Agency’s National Cyber Crime Unit in the U.K., nearly 586 million sets of credentials had been collected in a compromised cloud storage facility, free for the taking by any cybercrime yahoo who happened to stop by.
The credentials were a mixed bag in terms of sources, and it’s not clear how these passwords became compromised. But because they couldn’t be linked to a specific company, the NCA tapped Troy Hunt, creator of the Have I Been Pwned (HIBP) website and a Microsoft regional director, to check the passwords against the HIBP database of compromised passwords.
It turns out that 226 million of them were new to HIBP, which was an already comprehensive resource containing 613 million pwned passwords.
“Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown,” the NCA said in a statement provided to Hunt. “The fact that they had been placed on a U.K. business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other third parties to commit further fraud or cyber-offenses.”
The passwords have been added to HIBP, which means they’re searchable by individuals and companies worldwide seeking to verify the security risk of a password before usage. Previously unseen passwords include flamingo228, Alexei2005, 91177700, 123Tests and aganesq, Hunt said in a blog posting Monday.
“It is a both unfortunate and mind boggling that over 200 million of the passwords that were shared by U.K. NCA were brand new to the HIBP service,” Baber Amin, COO at Veridium, said via email. “It points to the sheer size of the problem, the problem being passwords, an archaic method of proving one’s bonafides. If there was ever a call to action to work towards eliminating passwords and finding alternates, then this has to be it.”
He added, “A compromised password goes well beyond the initial compromise as it facilitates password spraying and with the help of AI based analytical tools, the bad actors can start to identify patterns of how a person creates passwords. This is possible as the userID in question is an email address for the majority of the cases.”
The addition brings the total Pwned Passwords count to 847,223,402, “a 38 percent increase over the last version [of HIBP],” Hunt said. “More significantly, if we take the prevalence counts into consideration, that’s 5,579,399,834 occurrences of a compromised password represented in this corpus.”
The size of the database will continue to grow: The FBI and the NCA are now pipelining compromised passwords in to HIBP directly, Hunt noted.
“The premise is simple: during the course of their investigations, they come across a lot of compromised passwords and if they were able to continuously feed those into HIBP, all the other services out there using Pwned Passwords would be able to better protect their customers from account takeover attacks,” he said.
Ron Bradley, vice president at Shared Assessments, suggested that users everywhere take action with these best practices:
- Buy and use a versatile password manager (free is fine, but you get what you pay for),
- Turn on multifactor authentication everywhere possible (especially apps that move money),
- Be a part of the 1-percenters that have no idea what their bank password is because it’s too long and complex,
- Don’t be afraid of the password reset function,
- Keep your work passwords as far apart from your personal passwords as possible. Lastly,
- Assume you’ve been pwned and protect yourself accordingly.
“Let’s put this into perspective,” he said via email. “The 5.5 billion known compromised email addresses and passwords on the internet is quickly catching up with the world population of 7.8 billion people. Therefore, chances are extremely high at least one set of your credentials are toast…Working from the premise that the Internet is becoming more hostile and difficult to navigate on a daily basis, it sometimes reminds me of the warning light on the dashboard of your car that’s been on for so long you literally no longer see it.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.