How Facebook Deals with Stolen Passwords


USBThief650Facebook continued to mark National Cyber Security Awareness Month with content aimed at explaining the measures it takes to keep its users safe, and the latest addition is a note on the Protect the Graph page from security engineer Chris Long explaining how the social network reacts to the sharing of stolen passwords on public sites.

Long wrote:

The Facebook Security team has always kept a close eye on data breach announcements from other organizations. Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites. Unfortunately, it’s common for attackers to publicly post the email addresses and passwords they steal on public “paste” sites. Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public lists, and responding to these situations is time-consuming and challenging.

Our team wanted to do something to improve this situation, so we built a system dedicated to further securing people’s Facebook accounts by actively looking for these public postings, analyzing them and then notifying people when we discover that their credentials have shown up elsewhere on the Internet. To do this, we monitor a selection of different paste sites for stolen credentials and watch for reports of large-scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook. This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.

Long also offered the following tips for users to more strongly secure their passwords and other personal data:

  • Enable login approvals, our two-factor authentication solution, to add an extra layer of security for your account. You’ll enter a security code from your phone when logging in from a new browser.
  • Use Facebook Login when you need to sign into other websites. You won’t have to create (or remember) a user name or password, and the service won’t be able to post on your behalf unless you let it. Even if the website you are logging into ever gets compromised, the attacker won’t have a copy of your password.

Readers: Have any of your passwords ever been stolen?

Image courtesy of Shutterstock.