The Facebook Security team has always kept a close eye on data breach announcements from other organizations. Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites. Unfortunately, it's common for attackers to publicly post the email addresses and passwords they steal on public 'paste' sites. Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public lists, and responding to these situations is time-consuming and challenging.
Our team wanted to do something to improve this situation, so we built a system dedicated to further securing people's Facebook accounts by actively looking for these public postings, analyzing them, and then notifying people when we discover that their credentials have shown up elsewhere on the Internet. To do this, we monitor a selection of different 'paste' sites for stolen credentials and watch for reports of large scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook. This is a completely automated process that doesn't require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we'll notify you the next time you log in and guide you through a process to change your password.
This is also covered by The Register.
(Score: 2) by kaszz on Monday October 20 2014, @01:08PM
You can't search paste sites that easy. It will just cause the next iteration:
Prffc00y - rznvy@Snprobbx.pbz
To be more blunt:
Pbqrf, cnffjbeqf naq nppbhagf rgp. Jvyy or rapbqrq va n jnl gung jvyy gujneg gurfr fpnaaref. Vg'f irel rnfl gb hfr fbzrguvat rira zber rynobengr gb nppbzcyvfu guvf.
(Score: 2) by fadrian on Monday October 20 2014, @01:20PM
I couldn't have said ti better myself. But you're forgetting about qoks're Yhus 7ytye5s gyk92ov ar sywvj'es%
That is all.
(Score: 2) by kaszz on Monday October 20 2014, @01:39PM
And you publish or at least hint the algorithm at the start. Because search engines will not interpret written text. But rather blindly chew anything.
(Score: 2) by VLM on Monday October 20 2014, @03:03PM
So say I want to rip off the russians by selling them 10M FB accounts. I'll give them a taste by buying 1K accounts of my own, then releasing them, then letting FB verify they're legit and to convince the russians I'm for real. Then wait for the bitcoins to arrive and "sorry suckas aint got no 10M accounts after all"
Of course it would suck if the guy I purchased the 1K accts from had .ru connections to begin with and they noticed. Whoops.
For .ru substitute anything you'd like, KGB, NSA, CIA, .mil, the bulgarians (Tom Swift's mortal enemies), doesn't really matter.
Speaking of Tom Swift in the hollywood business of turning our childhood memories to crap using movies for great profit, where's the "Tom Swift and and his Triphibian Atomicar" movies? And who plays Phyllis? This is starting to sound more interesting than BoringBook gossip.
(Score: 0) by Anonymous Coward on Monday October 20 2014, @07:13PM
For some reason this comes to mind https://www.youtube.com/watch?v=1z6o1GIEsQE [youtube.com]
Stealing from criminals who savagely murder others for lesser offenses. Good luck with that.
(Score: 2) by VLM on Monday October 20 2014, @09:48PM
Oh the NSA is bad, but they aren't that bad. Well, at least officially.
(Score: 3, Insightful) by egcagrac0 on Monday October 20 2014, @06:48PM
Facebook,
You have no business trying to hack your users passwords.
The real concern is that once they verify that your compromised password works on their site, they'll go seeing what other sites it works on, and integrating all the data with your user account.
(Score: 2) by kaszz on Monday October 20 2014, @07:50PM
Refusal to join is futile, you will be integrated into the facebook grid by free will or by just ending up there anyway.
(Score: 2) by c0lo on Monday October 20 2014, @09:02PM
Which they can do anyway, without announcing it publicly. Maybe they already have?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday October 20 2014, @09:37PM
Actually, if I had a FB account (I don't, thank God) and they had managed to discover my password, I would much rather they quietly told me about it than just kept that information to themselves. After all, if they told me about it then I would at least have the opportunity to remedy the situation. Of course, this assumes that FB would bother to tell someone who has an account with them that their password has been compromised. But then, it looks like that is exactly what they are doing.
If that is what they were up to, why do you think they would bother telling you they discovered your password? How would telling you about it further their goal to get at your accounts on other sites? You do know that if you are using the same password on other sites that it would be prudent to change your passwords at those others sites, too, right? I mean, you really wouldn't be so foolish as to believe that your accounts on those other sites where you are using the same password would still be secure, would you?
(Score: 2) by egcagrac0 on Tuesday October 21 2014, @12:10PM
Smart people know this, yes. If that were the majority of Facebook users, Facebook would not bother to do this.