Users prompted to change password if log-in data in a stolen database matches their Facebook credentials

Oct 20, 2014 09:53 GMT  ·  By

An automated system has been built by Facebook to collect and analyze information in large databases published online containing usernames and passwords corresponding to the accounts of its users.

The measure aims to protect Facebook users whose account details have been compromised as a result of data breaches.

In an announcement on Friday, Facebook security engineer Chris Long says that processing the information encountered in different online repositories (generally Pastebin and the like) is done completely automatically and does not require knowledge of the user password or storing it in plain text.

User passwords are not known to Facebook

Facebook stores only the hash information for the password, which is created using a proprietary algorithm and appended a unique salt for each user.

A hash is a method to transform data into a different format based on a specific algorithm producing a string of a fixed length, which matches a unique input (password).

Reverting a hash to the original input should not be possible, but if the original input is guessed, its corresponding hash can be found.

A salt is basically a set of random data appended to the password. Once the altered password is hashed, finding the original countersign is virtually impossible because of the additional unique salt.

“In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time,” Long said.

If a match is found, the user is notified at the next log-in and receives instructions for changing their password, thus invalidating the content that ends up in the hands of a third party.

Recycling passwords is a bad idea

When hacking a service, cybercriminals know that the credentials they steal may give them access to other online accounts because users often rely on the same password to sign into other services.

“The problem of password reuse on multiple websites is endemic and well documented,” says Long, who suggests using a password manager for storing different passwords and logging into accounts without having to remember the countersigns.

In a recent event, about seven million credentials have been exposed online, some of them providing access to the Dropbox cloud storage. These belonged to other services, but password recycling allowed them to match Dropbox accounts.

The security researcher said that no action is taken if the email and hash combination found in a public location does not match the log-in of a Facebook user, meaning that they may remain in the dark about a data breach resulting in stealing their email address until that service issues an alert to them.