Posted on December 22, 2021 at 6:38 PM
U.K’s National Crime Agency (NCA) says it recovered a database of 225 million login details hidden on hacked cloud servers. The agency noted that the data was stolen from users’ email addresses and passwords.
NCA added that the list has been donated to Have I Been Pawned (HIBP), a free online service that allows users to check whether their accounts have been compromised. So many people still use one password for more than one account. This has allowed threat actors to test several passwords out, making many users vulnerable to credential stuffing.
Users Asked To Be Very Cautious With Their Passwords
Troy Hunt, a security researcher with the site, in a blog post, described the exchange between the site and NCA. He stated that the credential tracking service now provides an avenue for law enforcement to send compromised passwords to the platform. It will allow users to verify whether their accounts are still safe.
The report also suggested that the recommendations from the security agencies will help users to be very cautious of their passwords. This means they will see reasons to stop using the old details that have been exposed in the breach, keeping the users safe in the future.
The report also addresses the increased use of “credential stuffing” that enables threat actors to easily crack the details of users’ accounts.
Hackers have used the technique to compromise over 50,000 online bank accounts since 2017, according to an FBI security advisory.
The method is still very effective for these threat actors because many users still use one password to access two or more accounts online. This leaves them more exposed because once an account is compromised, the hackers could easily have access to other accounts sharing the same password details.
The Data Is A Compilation Of Previously Compromised Accounts
In a statement to HIBP, the NCA noted that its team was able to uncover the huge amount of potentially compromised credentials in a hacked cloud storage facility.
Following analysis, it was discovered that the breached files were an accumulation of previously compromised datasets, some of which as known while others are unknown.
And since they were stored on UK’s business cloud storage by unknown threat actors, it means the credentials are already available in the public domain. It also means that the third party can easily use the data for future fraudulent purposes.
The NCA also stated that there was a breach of the cloud storage facility of a UK organization, which allowed cybercriminals to upload over 40,000 files to their servers. These files contained exposed emails and passwords. When the data was handed over to HIBP’s Troy Hunt, it was confirmed that they are not in the existing Pwned Passwords data set.
Hunt added that the passwords sent by the NCA and the FBI are not for the HIBP’s service but the community. He stressed that it can be used by anyone to meet NIST’s recommendation when mitigating credential stuffing.
With the latest released, Hunt says the total number of Pwned passwords it has put out on the HIBP server is now 847,223,402, which is a 38% surge over the last version.
Security researchers have provided more ways for the user to verify whether their passwords are among those stolen or compromised. A recent report provided three ways users can monitor their passwords and find out when it has been compromised.
They can use Microsoft Edge Password monitor, Firefox Lockwise, or Google Password Checkup for this verification. The tools are provided as an extension of the respective browsers.
The Data Is Part Of Unknown Hacking Incidents
After the financial and other important personal data was mitigated, there were other sets of credentials that cannot be linked to any specific data breach. It means that while some data breaches are reported, some other breaches are unknown to the victimized organizations. This makes it more difficult for the affected users to take appropriate actions to protect themselves.
The remaining 225 million passwords donated to HIBP cannot be connected or linked to any known hacking incident. As a result, users have been asked to use the website to check whether their credentials have been exposed to the public. The criminals may have sold the stolen database on the darknet. But the ICA wants to allow users to change their passwords and secure their accounts before they are used wrongly.