Facebook buying stolen passwords – for users’ own good

12 Nov 2016

Facebook has admitted that it trolls the black market for stolen passwords – but for users' own good. It is part of the effort by the Facebook security team to protect users who may use weak passwords like '12345' or use the same password across multiple online accounts.

A security system is only as strong as its weakest link, and in the case of the vast majority of the web at this point, that weak link is the username / password system that has been in place since the web was invented. "The reuse of passwords is the number one cause of harm on the internet," Facebook's chief security officer Alex Stamos said at a Web Summit in Lisbon on Wednesday.

Stamos talked about how the social network buys stolen passwords so that it can run its own encrypted password database against stolen passwords. He called the task "computationally heavy" but said that doing it has allowed the company to alert tens of millions of users that they were using bad or insecure passwords.

As Sophos's Naked Security blog points out, we've known that Facebook has compared its password database to stolen databases before. During the Adobe hack in 2013, Facebook used that data to find out what customers used the same password both places.

If Facebook found out a user was using the same password they had used for their Adobe account, it locked users out of the service until a stronger password was entered. Still, it's interesting that Facebook would comment that it is willing to buy stolen passwords as part of its own operational security practices.

Stolen passwords are frequently sold on the black market. In fact, that's how most residual data breaches happen. People buy those caches and then use the usernames and passwords not only to infiltrate the accounts for the stolen service (provided the service hasn't reset all passwords) but also other services where users may reuse the same credentials.

That's part of what makes using the same password on more than one site such a bad idea; you might not care about one account getting hijacked but that same password could provide access to information you do care about.

This practice isn't unique to Facebook. As the San Francisco Chronicle reported in January, more and more companies are taking this step to help protect users. The Chronicle cites PayPal as a company that has admitted to buying passwords on the black market as a "regular course of business".

A dozen people - including several current and former senior executives at major Silicon Valley mainstays and cybersecurity vendors - detailed the process and its importance to counterintelligence investigations to the San Francisco Chronicle. Companies that engage in the practice include top technology firms and banks, which reportedly bought back stolen credit and debit card numbers in the wake of the Target breach in 2013.

According to insiders, the tactic requires companies and intelligence vendors to infiltrate a complex criminal ecosystem of chat rooms and forums where stolen data is bought and sold, and participants are often vetted for their underworld bona fides.

The practice is sometimes looked down upon by security professionals who think buying stolen data is crossing a line. And it's also true that act of buying stolen information exists in a grey area, legally speaking. Still, plenty more argue that if the data is already out there, it makes sense for large sites to at least be aware of the data out there so that they can best secure their customers.