Facebook provided more details on Friday how it attempts to protect the account information and passwords of its users whose private information unwittingly ends up on file-sharing websites that hackers typically frequent.
To keep itself informed of what stolen account information may be lurking on the web, the social network’s security team looks out for news on data breaches and then routinely scans so-called “paste” sites to see if any of the information on these sites belongs to Facebook users.
After gathering the stolen email and password combinations, the security team then funnels that info over to a program that can convert the data into a format that Facebook can understand. Because Facebook encrypts the passwords of its users in its own database using a hashing algorithm that turns user passwords into jumbled-up versions that only Facebook can recognize, the company needs do the same with the stolen credentials so that it can compare the information to its own scrambled data.
From the Facebook blog post:
[blockquote person=”Facebook” attribution=”Facebook”]This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. [/blockquote]
If Facebook discovers that an email address and password matches up with a user’s combination in the Facebook database, the company said it will notify the user and explain how to update his password.
Facebook said that using this security process helped keep users secure in the past, as in the case of the big Adobe breach that took place last year. As security reporter Brian Krebs explained in a post on the Adobe breach last year, any company that has a hashing mechanism to secure user information can do what Facebook did in this instance and cross-check stolen credentials with their own data.
Post and thumbnail images courtesy of Flickr user SpencerEHoltaway.