Police finds dictionary with 225 million passwords after taking control of hacker group servers

In an operation in charge of the British police, authorities announced the recovery of a database used by cybercriminal groups to store millions of email addresses and passwords stolen from legitimate users. The list is available for consultation on Have I Been Pwned, the free data security incident tracking service.

Troy Hunt, administrator of the platform, points out that Have I Been Pwned allows users to search through millions of stolen data to check if their confidential information has been compromised in any security incidents. The website’s latest feature allows authorities to aggregate confiscated information from cybercriminals so that users can confirm or dismiss the compromise of their personal data.

The expert adds that, from now on, agencies such as the Federal Bureau of Investigation (FBI) and the National Crime Agency (NCA) will be able to contribute using the open source systems of the platform, giving as an example this “donation” of more than 220 million compromised records that can be verified in Have I Been Pwned, which increased by more than 20% its records stored for security verification.

What if you find your data at Have I Been Pwned?

According to Hunt, if your email addresses and security keys appear in this database, cybercriminals have accessed this information and it is best to reset your passwords or stop using those email addresses.

Chris Lewis-Evans of the British police adds that the information shared with Have I Been Pwned comes from the largest set of information the NCA has seized from cybercriminal groups: “Last year, the NCA identified the compromise of a cloud deployment operated by a UK organisation, which caused cybercriminals to download more than 40,000 files onto their servers, equivalent to millions of personal records.”

Often, the main objective of cybercriminals is to obtain confidential information, as these records allow the deployment of subsequent malicious campaigns, including identity theft, phishing and hijacking of online sessions. Things get easier for threat actors when users use easy-to-guess passwords or use the same password for multiple online platforms, so it’s best to keep passwords secure for each email account, social media platform, or cloud storage unit.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.