When a company suffers a data breach, hundreds of millions or even billions of login credentials may be leaked online and posted to Pastebin, Github or a hacker forum, leaving companies victimized and struggling to respond. Not only is the company victimized, the users are as well, left questioning whether their identities or personal information is at risk.
With more than one billion active monthly users around the globe, Facebook has taken steps to prevent password theft and ease users worry, many whom likely reuse credentials across social media.
Facebook announced today that it has built a tool that will automatically crawl publicly leaked credentials online and notify existing Facebook users if their Facebook credentials have been identified online.
“We monitor a selection of different ‘paste’ sites for stolen credentials and watch for reports of large scale data breaches,” wrote Facebook security engineer, Chris Long. “We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook.”
Long continued saying Facebook’s automated system does not store Facebook credentials in plaintext.
“To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time,” Long said. “If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.”
Facebook’s most recent announcement is a swift and long needed reaction to the recent string of data breaches affecting large retailers, including Home Depot, Kmart, Target, among many others. In the case of most breaches, hackers target payment information but also steal personal customer data.
Facebook’s action is a huge benefit for password reuse. Consumers in particular many re-use passwords across any number of sites, including even the most important such as banking, social networks, email and news sites. The risk of password re-use is obvious, if a hacker steals or gains access to someones password, nothing is stopping them from trying the username and password combination on an email provider or financial institution. The hacker could even stick the credentials into an automated tool, allowing them to test the password combination on any number of sites, individually verifying where the credentials work.
Facebook tested its system last November, when the company searched for the information lost in the Adobe data breach, where more than three million credentials were stolen and leaked online. Users whose data was found online matching their Facebook credential information was required to reset their password.
Long continued to say that Facebook reacts to data breaches once the stolen information is leaked publicly, the system then parses data into a standardized formation. Facebook proceeds to hash each password with their own algorithm.
“Once we have the list of stolen email addresses and hashed passwords, an automated system checks each one of them against the Facebook internal databases to see if any of the email addresses and hashed passwords match valid login information on Facebook,” Long said.
If Facebook’s automated password scanning tool finds a match, the affected users is prompted with during their next visit to the site, directing them to a step-by-step instructional guide on how to change their password.
“Changing your password will invalidate the stolen password and help protect the Facebook account,” Long concluded. Long also recommended the use of a password manager and added users should enable two-factor authentication to stop unauthorized logins.