Facebook has admitted that it trolls the black market for stolen passwords in an effort to beef up its own security and protect its users who may use the same password across multiple online accounts.
Speaking at the Web Summit in Lisbon on Wednesday, Facebook’s Chief Security Officer Alex Stamos talked about how the social network buys stolen passwords so that it can run its own encrypted password database against stolen passwords. Stamos called the task “computationally heavy” but said that doing it has allowed the company to alert tens of millions of users that they were using bad or insecure passwords.
As Sophos’s Naked Security blog points out, we’ve known that Facebook has compared its password database to stolen databases before. During the Adobe hack in 2013, Facebook used that data to find out what customers used the same password both places. If Facebook found out a user was using the same password they had used for their Adobe account, it locked users out of the service until a stronger password was entered. Still, it’s interesting that Facebook would comment that it is willing to buy stolen passwords as part of its own operational security practices.
Stolen passwords are frequently sold on the black market. In fact, that’s how most residual data breaches happen. People buy those caches and then use the usernames and passwords not only to infiltrate the accounts for the stolen service (provided the service hasn’t reset all passwords) but also other services where users may reuse the same credentials.
That’s part of what makes using the same password on more than one site such a bad idea; you might not care about one account getting hijacked but that same password could provide access to information you do care about.