The UK’s National Crime Agency (NCA) has given a database of almost 600 million recovered passwords to the Have I Been Pwned project, over 225 million were not in the database. The project manager Troy Hunt announced this on his blog. Anyone who uses the service can now find out whether this new data record contains their own access data. It was therefore on a compromised cloud server and could not be assigned to any platform. The new passwords that were introduced as a result include “flamingo228”, “Alexei2005”, “91177700”, “123Tests” and “aganesq”.
“Pipeline” for authorities
In addition, Have I Been Pwned now also has an interface that has already been announced, through which law enforcement authorities can give such data records to the project more quickly. Hunt worked with the US Federal Police FBI on this expansion. To do this, he converted the system into open source software and made the source code available. Hunt started doing it in the spring after announcing the move last year. But he underestimated the effort and was then supported by the .NET Foundation, a non-profit organization supported by Microsoft. Thanks to the new cooperation, the project can now be updated much faster if a leak becomes known and captured data sets become public.
Hunt opened his password verification service in late 2013, inspired by an immense hack at Adobe. Since then, it has become an increasingly popular contact point for Internet users who want to find out whether their access data has been compromised in the course of a hack. To do this, Hunt integrates databases that have become available. Interested parties can then check whether there is a match for their email address. Hunt also provides an API for automated queries. In 2019 Hunt announced that he wanted to sell the service, but then had fundamental doubts about the plan. Nothing came of the sale and Have I Been Pwned will remain independent for the foreseeable future.
(mho)