FBI wants to give passwords to Have I Been Pwned

Together with the Have I Been Pwned (HIBP) service, the FBI warns those affected of data leaks. In addition, the HIBP code was published on Github. If the FBI discovers compromised access data during its investigation, it intends to hand this over to the Have I Been Pwned (HIBP) service in the future. There, Internet users can check whether their e-mail addresses, telephone numbers or passwords are contained in various data leaks. The platform is also to become open source, as HIBP operator Troy Hunt announced in a blog post.

The FBI had already handed over 4.3 million login details to Have I Been Pwned in April. The investigators had confiscated the e-mail addresses and the associated passwords when the malware network Emotet was broken up. Internet users were then able to check whether they were affected via Have I Been Pwned.

As part of its investigations, the FBI repeatedly confiscates collections of access data that it would like to make accessible via Have I Been Pwned in the future so that those affected can be warned. The passwords should not be passed on in plain text, but in SHA-1 and NTLM hash pairs. That fits perfectly with the current storage design from HIBP, explains Hunt.

The aim is to protect those affected from account takeovers by proactively warning them if their password has been compromised. “Putting these passwords into HIBP gives the FBI the ability to do this nearly 1 billion times each month,” writes Hunt.

“We are excited to partner with HIBP on this important project to protect victims of online data theft. It is another example of the importance of public-private partnerships in the fight against cybercrime,” said Bryan A. Vorndran, Vice President Director of the FBI’s Cyber ​​Division.

Code from Have I Been Pwned on Github

Hunt had already announced in August that he wanted to publish the platform’s code under an open-source license. However, that was more complicated than expected, writes Hunt. 

“I had no idea how to manage an open-source project, set the licensing model, coordinate where the community invests, accept contributions, redesign the release process, and all sorts of other things that I’m sure I haven’t done yet have thought.”

At this point, the .Net Foundation gave him a helping hand, and they had answers to all of his questions. The independent non-profit organization is supported by Microsoft and is intended to support open source projects in the .Net environment. Some of the Have I Been Pwned code has already been published on Github under a BSD license.

News Source