Facebook trawls through paste sites for compromised credentials

In the spirit of November as National Cyber Security Awareness Month, Facebook security engineer Chris Long shared how the company discovers that some of its users’ accounts could be compromised and preemptively pushes them towards changing the password.

The company has created an automated system that trawls public paste sites (Pastebin and such) for leaked login credentials, collects the information, compares it to the Facebook internal databases and, if a match is found, alerts and guides the user through the password-changing process.

“The Facebook Security team has always kept a close eye on data breach announcements from other organizations. Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites,” Long pointed out.

For those worried that this means that Facebook employees can easily access and see their password, he explained that the process is completely automated.

The found sets of stolen credentials are fed into a program that parses the data into a standardized format, then the automated system checks each one of them against Facebook’s databases to see if any of the email addresses and hashed passwords match valid login information on Facebook.

“We hash each password using our internal password hashing algorithm and the unique salt for that person,” he noted. “Since Facebook stores passwords securely as hashes, we can’t simply compare a password directly to the database. We need to hash it first and compare the hashes.”

While this system helps both users and the company, Facebook notes that every user is personally responsible for choosing a strong and unique password for each of their online accounts.

Enabling two-factor authentication wherever possible is also a great idea, noted Long, as is using Facebook Login when one needs to sign into other websites.