When a cache of millions—or even a billion—username-password combinations is stolen and posted to Pastebin, Github or a hacker forum, victimized organizations struggle to respond. And victimized users often twist in the wind wondering whether their identities and personal information are at risk.
With more than 1 billion active monthly users worldwide, Facebook has taken steps to ease that angst for its users, many of whom likely reuse the same credential on more than just the social network.
The company announced today that it has built a tool that will scour public postings of credentials and automatically notify its subscribers if their Facebook credentials have been put online.
“We monitor a selection of different ‘paste’ sites for stolen credentials and watch for reports of large scale data breaches,” said Facebook security engineer Chris Long. “We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook.”
Long said the automated system doesn’t store plaintext Facebook credentials.
“To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time,” Long said. “If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.”
Today’s announcement is a swift reaction to the recent string of data breaches afflicting large retailers, including Home Depot, Supervalu super markets, Target and many others, most of which lost not only payment card information, but also personal customer data. Target alone reported the theft of the personal data (names, mailing addresses, email addresses, phone numbers) of 70 million people, in addition to the 40 million payment card records that were stolen.
The problem worsens because of password reuse. With consumers in particular, many re-use passwords on any number of sites, including for important transactions such as banking, to social networks, gaming and news sites. The risks are obvious with password re-use, in that if a hacker is able to steal someone’s Facebook credential, there’s nothing stopping them from trying that same username-password combination for Gmail, financial sites or anywhere else they may profit.
Facebook put its system through its paces last November looking for data lost in an October breach at Adobe where more than three million credentials were stolen. Users who repeated credentials were required to reset their passwords.
Long explained that Facebook reacts to reported data breaches with its system and once credentials are posted publicly, the system parses data into a standardized format. Each password is then hashed using Facebook’s own algorithm.
“Once we have the list of stolen email addresses and hashed passwords, an automated system checks each one of them against the Facebook internal databases to see if any of the email addresses and hashed passwords match valid login information on Facebook,” Long said.
If there’s a match, a user is presented with a dialog box upon their next visit to the site and gets step-by-step instructions on how to change their password.
“Changing your password will invalidate the stolen password and help protect the Facebook account,” Long said, adding that a password manager and two-factor authentication help keep credentials secure.