The FBI will now start working together with Have I Been Pwned so that leaked data uncovered by the FBI can be added to the website’s database. Have I Been Pwned offers you a way to check if your data, login details or other records have been compromised by data breaches. They have started working together to help grow their database of information that is available to cyber criminals, and whether you need to change it right now. Based on ongoing investigations by the bureau, fresh passwords and emails will now be added to the Have I Been Pwned database as they become available.
“avenue to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature.”
Have I Been Pwned?
Those of you who have never heard of Have I Been Pwned before, it’s a website offering a free service that lets your check whether your online accounts have been compromised. In recent months several large social media platforms were compromised and data was either scraped or stolen. Good examples are the Facebook data breach in which Personal data of 533m Facebook users leaked on the Dark Web for free or when LinkedIn was compromised and 500 million LinkedIn user data is for sale on the Dark Web.
By visiting Have I Been Pwned and entering your email address, personal phone number or password, you can then check records of compromised data freely available on the Dark Web, hacker forums, and other sources. If one of your data entries gets flagged chances are good that hackers already have your personal info and you may want to start making a few changes.
Have I Been Pwned’s database is starting to become so vast that even popular password keeping apps such as 1Password are even using the websites database to check and alerts its users if one of their password has been compromised or when login credentials have been made public. Now that the FBI will also feed the website’s database it will surely grow to be the singular online destination for compromised data across the dark web.
Happy to announce…
Aside from the FBI opening up their doors to HIBP, Hunt also explained that now that HIBP has open sourced its code base they will start asking people for help in the development for an ingestion route for new data coming from the FBI. Hunt explained that the FBI is involved in a vast amount of investigations involving ransomware, botnets, online child sexual exploitation and terrorism.
HIBP has a very simple code base according to Hunt consisting of Azure Storage, a single Azure Function, and a Cloudflare worker. It also has its own web domain, its own Cloudflare account, and additional Azure services, so it can be open sourced independently of the rest of HIBP if needed.
“So, I can proverbially ‘lift and shift’ Pwned Passwords into open source land in a pretty straightforward fashion which makes it the obvious place to start,”Hunt explains the mobility of HIBP
The data found by the FBI are often used by cyber criminals for advanced digital nefarious purposes. Currently HIBP is offering the FBI with a way to feed the passwords into HIBP and surface them via the Pwned Passwords tool. These passwords will be provided in SHA-1 and NTLM hash pairs, which aligns with Pwned Passwords’ current storage constructs. The development of a new faster data entry method for the FBI will greatly improve crackdowns on dark web projects where stolen data is used for long term illicit projects. At the moment the FBI does not yet have a way to do this.
At the time of writing the largest data breaches according to HIBP are:
|772,904,991||Collection #1 accounts|
|711,477,622||Onliner Spambot accounts|
|622,161,052||Data Enrichment Exposure From PDL Customer accounts|
|457,962,538||Anti Public Combo List accounts|
|393,430,309||River City Media Spam List accounts|