Facebook has a system in place to scan public ‘paste’ sites for email
address and password combinations to stay one step ahead of possible
leaks, according to The Register.
In a blog post entitled ‘Keeping Passwords Secure’,
Chris Long, a Security Engineer at the social network outlined how the
procedure works. “We built a system dedicated to further securing
people’s Facebook accounts by actively looking for these public
postings, analyzing them, and then notifying people when we discover
that their credentials have shown up elsewhere on the Internet,” writes
Long. “To do this, we monitor a selection of different ‘paste’ sites for
stolen credentials and watch for reports of large scale data breaches.
We collect the stolen credentials that have been publicly posted and
check them to see if the stolen email and password combination matches
the same email and password being used on Facebook.”
“It then checks these credentials with those used to access the site,
and if it finds a match, warns the affected user their account is at
risk,” explains The Daily Mail.
But Long was clear that this is an automated process which never
involves passwords being stored in an unhashed form. “In other words, no
one here has your plain text password,” he added.
Responding to user questions in the comments of the blog piece, Long
was at pains to explain that this was not Facebook’s only line of
defense. When asked if this meant that hackers would instantly get the
chance to change a password when using stolen log-in credentials, Long
replied: “we’ve thought about that as well and have explored a few
different options. We use a combination of other systems to help detect
and block suspicious logins, and those generally do a good job of
stopping the scenario you described.”
Tech Times reports that the system was used successfully with last year’s Adobe hack,
where 100 million Adobe log-ins were exposed: “The security breach,
which exposed the usernames and passwords of more than 100 million Adobe
account owners, resulted in a data mining effort that compared login
credentials between the two services. As a result of the hack, Facebook
hid the profiles of people with the same usernames and passwords on
Adobe and their own service.”
0 comments:
Post a Comment