Have I Been Pwned, the website that gives you a way to check which of your login details have been compromised by data breaches, is working with the FBI to grow its database. The partnership will give the website access to fresh passwords as they become compromised, depending on what the feds are investigating at the moment. Troy Hunt, the website's creator, has announced the partnership, explaining that the FBI reached out to ask if there's a way to provide the agency with an "avenue to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature."
As Hunt explained, the FBI is involved into all sorts of investigations into digital crimes, such as botnets, ransomware, online child sexual exploitation and terrorism. The compromised passwords they find are often being used by crime rings, so the passwords' quick addition to the HIBP database would be extremely helpful. That said, the website doesn't have a way for the feds to quickly feed passwords into its database yet.
Thus, Hunt is asking people to help develop an ingestion route for the data now that HBP has open sourced its code base. He first announced that he will open source Have I Been Pwned's code base last year to ensure a more sustainable future for the website. Now, HIBP is officially an open source project under the non-profit org .NET Foundation. Hunt has listed what he's thinking of for the FBI password ingestion code, if you think you'll be able to help. He said he's hoping that the "scope of this facility may expand in the future" to enable other law enforcement agencies to contribute their own finds.
I’m very happy to announce that @haveibeenpwned’s Pwned Passwords is now open source under the @dotnetfdn. Now we’ve got some work to do: building an ingestion pipeline for new passwords provided by the @FBI on an ongoing basis. This is super cool 😎 https://t.co/iM17zemmwE
— Troy Hunt (@troyhunt) May 27, 2021
Bryan A. Vorndran, Assistant Director of FBI'sCyber Division, said:
"We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime."