A quarter-billion of those passwords were not seen in previous breaches that have been added to Have I Been Pwned.
According to the National Crime Agency’s National Cyber Crime Unit in the U.K., nearly 586 million sets of credentials had been collected in a compromised cloud storage facility, free for the taking by any cybercrime yahoo who happened to stop by.
The credentials were a mixed bag in terms of sources, and it’s not clear how these passwords became compromised. But because they couldn’t be linked to a specific company, the NCA tapped Troy Hunt, creator of the Have I Been Pwned (HIBP) website and a Microsoft regional director, to check the passwords against the HIBP database of compromised passwords.