Facebook Scours Web for Stolen Passwords

Written by

The weekly incidents of data breaches continue to roll on, but Facebook is attempting to take action to protect consumers from their own insecure behavior by scouring the web for compromised account credentials.

When hackers break in and steal user names, email addresses and passwords, the ramifications often extend far beyond the initial breach because people often use the same password on multiple websites. And, attackers have a tendency to either sell the account information for brute-force attacks on third party sites, or simply release them publicly to cause trouble, opening a free-for-all type of situation with bad actors trying the email/password combinations on a variety of sites where sensitive information may be stored—like online banking, or file-sharing services.

“Unfortunately, it's common for attackers to publicly post the email addresses and passwords they steal on public 'paste' sites,” said Chris Long, a security engineer at Facebook, said in a company post. “Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public lists, and responding to these situations is time-consuming and challenging.”

Facebook has built a system dedicated to further securing people's Facebook accounts by actively looking for compromised passwords within these public postings, analyzing them and then notifying people that their credentials have shown up elsewhere on the Internet.

“To do this, we monitor a selection of different 'paste' sites for stolen credentials and watch for reports of large-scale data breaches,” Long said. “We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook.”

Lest consumers be concerned, he noted that the process is completely automated, and doesn't require Facebook to know or store a member’s actual Facebook password in an unhashed form.

“In other words, no one here has your plain text password,” he explained. “To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we'll notify you the next time you log in and guide you through a process to change your password.”

He also added some tips for consumers.

“If you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts,” he said. “Managing many different passwords can be daunting, but picking a good password manager that you trust can make the process much easier.”

Enabling two-factor authentication is, of course, another preferred security strategy.

What’s hot on Infosecurity Magazine?