Facebook, the social media giant cares for their users as it is there to protect their users. After getting the news about 7 million Dropbox passwords being hacked by a third party service, Facebook assured its user that it will not happen at this platform.
On Friday, Facebook announced a new approach to the problem. The company has been searching for anonymous posting sites like Pastebin, for the past few months. They are now hunting the compromised passwords to disable them and inform to the account holders that their account has been used by the hackers. If they get a hit, the user will be notified and prompt for an automatic password reset.
Hackers often post their stolen cache of data on sites that provides anonymous posting. In addition, users are advised that they should not use same passwords across multiple accounts.
Facebook security engineer, Chris Long said in a public post announcing the project:
Keeping Passwords Secure
The Facebook Security team has always kept a close eye on data breach announcements from other organizations. Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites. Unfortunately, it’s common for attackers to publicly post the email addresses and passwords they steal on public ‘paste’ sites. Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public lists, and responding to these situations is time-consuming and challenging.
Our team wanted to do something to improve this situation, so we built a system dedicated to further securing people’s Facebook accounts by actively looking for these public postings, analyzing them, and then notifying people when we discover that their credentials have shown up elsewhere on the Internet. To do this, we monitor a selection of different ‘paste’ sites for stolen credentials and watch for reports of large scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook. This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.
Once we find a set of stolen credentials, we pass the data into a program that parses it into a standardized format.
After the data has been downloaded and parsed, an automated system checks each one of them against the Facebook internal databases to see if any of the email addresses and hashed passwords match valid login information on Facebook. We hash each password using our internal password hashing algorithm and the unique salt for that person. Since Facebook stores passwords securely as hashes, we can’t simply compare a password directly to the database. We need to hash it first and compare the hashes.
If the email and hash combination doesn’t match, we don’t take any action. A mismatch indicates that the stolen password is different than the password you use on Facebook, and therefore an attacker wouldn’t be able to use that password to access your Facebook account.
If the email address and hash combination does match, we will notify you the next time that you use Facebook and guide you through a process to change your password. Changing your password will invalidate the stolen password and help protect Facebook account.
This system has worked very well for us in the past, but we recognize that preventing stolen credentials is also important. The problem of password reuse on multiple websites is endemic and well documented. The risks are also clear: if you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts. Managing many different passwords can be daunting, but picking a good password manager that you trust can make the process much easier.
And in the spirit of National Cyber Security Awareness Month, here are a few additional ideas for protecting yourself online:
- Enable Login Approvals, our two-factor authentication solution, to add an extra layer of security for your account. You’ll enter a security code from your phone when logging in from a new browser.
- Use Facebook Login, when you need to sign into other websites. You won’t have to create (or remember) a username or password, and the service won’t be able to post on your behalf unless you let it. Even if the website you are logging into ever gets compromised, the attacker won’t have a copy of your password.