The agency donated the passwords to an anti-hacking public service site

This week, Britain’s National Crime Agency (NCA) recovered a database of 225 million login credentials from cyber-criminals. They had stolen this data from real users’ email addresses and passwords.

The NCA then donated the list of stolen passwords to free online service Have I Been Pwned (HIBP). This site lets anyone search through hundreds of millions of passwords to see if theirs is in the hands of criminals.

Troy Hunt, the security researcher who runs the site, described the transaction in a blog post. He said he now has a “pipeline” for law enforcement to add passwords they have recovered to the service.

“The premise is simple,” Hunt said. “During the course of their investigations, they [FBI and NCA] come across a lot of compromised passwords.” He posited that if they were able to continuously feed those into HIBP, the services using Pwned Passwords would be able to better protect their customers.

He said the FBI and NCA will now be able to contribute using the open-source systems his team has built.

A database of over 800 million compromised passwords

Chris Lewis-Evans, from NCA’s National Cyber Crime Unit, said the list of compromised passwords came from the largest set the NCA had ever recovered. It was a total of more than two billion email and password pairs.

“After the financial and other identifiable personal data was mitigated, officers were left with a large set of credentials which could not be attributed to specific data breaches,” he said.

Those passwords made up the “donation” to HIBP.

Working in collaboration with the NCA, Hunt said he imported and parsed out the data set against the existing passwords. He then found 225,665,425 completely new instances out of a total set of 585,570,857. Hunt wrote that he has rolled the whole set into a final version of the manually released Pwned Passwords data.

The NCA release brings the total Pwned Passwords count to 847,223,402, a 38 percent increase over the last release.