UK’s National Crime Agency discovers 585 million compromised passwords in cloud storage facility

Today, Specops Software announced the addition of over 230 million compromised passwords to its Breached Password Protection database. This latest update comes from both its own internal attack monitoring systems as well as the addition of hundreds of millions of compromised passwords recently found by the United Kingdom’s National Crime Agency (NCA).

The NCA announced in December that it had found 585 million compromised passwords in a UK cloud storage facility. Because none of the dataset was attributable to any single company or platform, the agency engaged Have I Been Pwned (HIBP) to share the compromised data with the public. About 225 million from the dataset were new to the HIBP database.

“This update is a big deal,” said Darren James, Product Specialist at Specops Software. “It shows that more government entities understand the danger of compromised credentials and the risk they pose to individuals and corporations.”

The NCA had the following to say about the discovered dataset:

“During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown.

Because the credentials identified could not be attributed to any one company or platform, the NCCU engaged with Troy Hunt, the CEO and creator of the ‘Have I Been Pwned’ (HIBP) website. The NCCU’s Mitigation@Scale team conducted a comparison of the compromised data against the HIBP password repository to identify any previously unseen passwords now in the public domain.

As a result of this activity, over 225 million compromised passwords previously unseen by HIBP were provided by the NCA to HIBP for incorporation into their password repository, allowing them to be checked by individuals and companies worldwide seeking to verify the security risk of a password before usage, supporting the NCA’s mission to protect the public from cyber criminality.” (

The Specops team analyzed the ~225 million dataset and found the following to be true of passwords found in it:

  • Passphrases are not more prevalent. Our team compared the instances of “3 (or more) Random Words” found in the password data and found 0.00048% of the UK password data met our “passphrase” criteria, compared with 0.03987% of the full HIBP database.
  • 74% of the passwords have 12 characters or less. Requiring passwords longer than 12 characters would protect against the majority of this dataset, something our team has seen in past analysis.
  • More than 80% of passwords in this data have no special characters at all, in line with compliance trends on removing complexity as a requirement.

The team also took a look at what was most common across passwords found in the dataset.

Top 10 Base Words in the NCA dataset

  1. xiaonei 
  2. alex 
  3. qwerty
  4. dima
  5. qwer
  6. anna 
  7. mama 
  8. love
  9. sasha
  10. vlad 

Xiaoeni was found as a base word in the NCA dataset over 498,000 times. This base word set differs from previous base word analysis our team has done on other data leaks but indicates at least part of this data set might be related to the Chinese social network now known as Renren.

“We see that hackers again are getting around any complexity or length requirements by going after passwords they know might be reused on your network,” James said. “A long or complex password is no stronger than “password” if it is breached, which is why it’s so important for organizations to protect against the reuse of breached passwords.” 

You can find out how many of your Active Directory users are using compromised passwords like these by running a free read-only scan with Specops Password Auditor. Read more and download it here.

With Specops Password Policy and Breached Password Protection, companies can block over 4 billion compromised passwords in Active Directory. The compromised passwords include ones used in real attacks today or are on known breached password lists like the full HIBP password database, making it easy to comply with industry regulations such as NIST or NCSC. Our research team’s attack monitoring systems update the service daily and ensure networks are protected from real world password attacks happening right now. The Breached Password Protection service blocks these banned passwords in Active Directory with customizable end-user messaging that helps reduce calls to the service desk.

color meter from green to red
Check Your AD for 950M+ Compromised Passwords with a free, read-only audit

About Specops Software

Specops Software is the leading provider of password management and authentication solutions. Specops protects your business data by blocking weak passwords and securing user authentication. With a complete portfolio of solutions natively integrated with Active Directory, Specops ensures sensitive data is stored on-premises and in your control. Every day thousands of organizations use Specops Software to protect business data.

Media Contact

Media contact details can be found on this page.

(Last updated on February 25, 2022)

Back to Blog