Mystery cloud storage service exposes 580 million customer passwords - but it might all be OK

News
By Sead Fadilpašić
published

Database shared with HaveIBeenPwned belongs to an unknown criminal entity

password_theft_india
(Image credit: Raj N)

The UK National Crime Agency (NCA) has discovered a database containing more than 585 million stolen passwords and emails, and shared it with Have I Been Pwned? to expand and update its database of breached info. 

Have I Been Pwned? is an online service where people can go to check if their email, passwords or other personal details have been compromised, and even identify in which breach this happened. 

According to the report, the NCA found the database in a “compromised cloud storage facility”:

"Huge amount"

“During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown,” the organization’s announcement reads.

“The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain and could be accessed by other 3rd parties to commit further fraud or cyber offenses.”

Of the 585 million passwords that were shared with HaveIBeenPwned, more than 225 million were unique - those he hasn’t seen before. With 613 million credentials already sitting in Have I Been Pwned's database, this launch now brings the total number up to around 847 million.

Creating strong passwords

Cybersecurity experts often claim passwords are one of the weakest security measures in existence, better only than having no password, at all. 

Businesses, workers and individuals are advised to switch to a passwordless method, such as biometrics (fingerprint scanner, facial recognition, or similar), or to deploy multi-factor authentication, either through security keys, a 2FA app, or a token generator. 

Many people still use weak and easy-to-guess passwords, risking their online identities being easily stolen. 

For example, “123Tests” was one of the passwords found in the database. Passwords should always be a combination of uppercase and lowercase letters, numbers and symbols, should not represent anything easily discovered online (a date of birth, the name of a significant other, or a pet, for example), and should never be the same for multiple services. Many experts are recommending password managers as means of creating and maintaining strong passwords.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.