Facebook scans ‘paste sites’ for leaked usernames and passwords

Facebook has a system in place to scan public ‘paste’ sites for email address and password combinations to stay one step ahead of possible leaks, according to The Register.

In a blog post entitled ‘Keeping Passwords Secure’, Chris Long, a Security Engineer at the social network outlined how the procedure works. “We built a system dedicated to further securing people’s Facebook accounts by actively looking for these public postings, analyzing them, and then notifying people when we discover that their credentials have shown up elsewhere on the Internet,” writes Long. “To do this, we monitor a selection of different ‘paste’ sites for stolen credentials and watch for reports of large scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook.”

“It then checks these credentials with those used to access the site, and if it finds a match, warns the affected user their account is at risk,” explains The Daily Mail.

But Long was clear that this is an automated process which never involves passwords being stored in an unhashed form. “In other words, no one here has your plain text password,” he added.

Responding to user questions in the comments of the blog piece, Long was at pains to explain that this was not Facebook’s only line of defense. When asked if this meant that hackers would instantly get the chance to change a password when using stolen log-in credentials, Long replied: “we’ve thought about that as well and have explored a few different options. We use a combination of other systems to help detect and block suspicious logins, and those generally do a good job of stopping the scenario you described.”

Tech Times reports that the system was used successfully with last year’s Adobe hack, where 100 million Adobe log-ins were exposed: “The security breach, which exposed the usernames and passwords of more than 100 million Adobe account owners, resulted in a data mining effort that compared login credentials between the two services. As a result of the hack, Facebook hid the profiles of people with the same usernames and passwords on Adobe and their own service.”

Denys Prykhodov / Shutterstock.com

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.