Facebook has announced plans to scour lists of breached credentials to identify its own users.
In a blogpost, Facebook security engineer Chris Long said that as it is common for attackers to publicly post the email addresses and passwords they steal on public ‘paste’ sites. Therefore, it has built a system dedicated to further securing people’s Facebook accounts by actively looking for these public postings, analysing them and then notifying people when it discovers that their credentials have shown up elsewhere on the internet.
He said: “To do this, we monitor a selection of different ‘paste’ sites for stolen credentials and watch for reports of large scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook.
“This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.”
He explained that the ‘pasted’ credentials are passed into a program that parses it into a standardised format and after the data has been downloaded and parsed, an automated system checks each one of them against the Facebook internal databases to see if any of the email addresses and hashed passwords match valid login information on Facebook.
“ We hash each password using our internal password hashing algorithm and the unique salt for that person. Since Facebook stores passwords securely as hashes, we can’t simply compare a password directly to the database. We need to hash it first and compare the hashes,” he said.
He went on to explain that if the email and hash combination doesn’t match, it does not take any action; a mismatch indicates that the stolen password is different than the password you use on Facebook; but if the email address and hash combination does match, it will notify the user the next time that they use Facebook and guide you through a process to change their password.
Security researcher and founder of haveibeenpwned.com Troy Hunt told IT Security Guru that he thought the concept was great, very proactive and said that it goes a long way to address the recent spate of account “hacks” that seem to boil down to nothing more than password reuse.
He said: “Facebook are big enough and have enough resources to well and truly go this on their own. That they own all their own data already means th
at so long as they can get their hands on the breaches (and that’s not hard), they’ve got all the moving parts they need already.”
Asked on how fast a system like this could operate at, bearing in mind Facebook’s more than one billion users, Hunt said that he did not see a problem with speed as firstly, a bunch of the public dumps have some form of cryptographic storage, so unless they’re going down the password cracking path, these will be useless for their purposes.
He said: “Adobe, for example, didn’t have clear text passwords. Pastebin is a different story as there’s a lot of clear text there, but it’s also smaller dumps rarely exceeding 20k so you’d just take those, match a subset to existing Facebook account then effective ‘log in’ with them and see if they work. Yes, you’re doing a bunch of hashing which is resource intensive, but it’s relatively frequent batches of smaller data sets and they’ve got serious resources at their disposal to make it work.”
