Back in November 2016, Alex Stamos – the Chief Security Officer at Facebook, stated that the company buys passwords sold by hackers on the Black Market and cross-references these passwords with the ones encrypted on their platform.
Stamos was speaking at Lisbon’s Web Summit at Lisbon, Portugal where he explained the new technique Facebook now relays upon for protecting users’ accounts.
As CNET quoted:
Keeping Facebook safe and keeping it secure are two different things; security is about building walls to keep out threats and shore up defenses. It turns out that we can build perfectly secure software and yet people can still get hurt.
The passwords bought from the Black Market are those that were stolen from data hacks like Yahoo, Dropbox, Twitter, LinkedIn, MySpace and are now offered for sale by the hackers.
Stamos also revealed that Passwords Re-use is the number one cause of security breaches on the internet and the social media network is most vulnerable in this regard as it attracts over 1.3 billion visitors on a daily basis.
For example 123456 is the most commonly used password, and in stolen databases, this password was identified in a majority of the accounts. Keeper Security revealed the 25 worst passwords of the year 2016, which were collected from all the data breaches last year.
So what Facebook actually does is they cross-check the stolen passwords with their users’ password and if anyone is using the same password, security team automatically terms the account as exploitable and asks user to change the password.
The website offers a variety of tools for safeguarding user account ranging from the customary two-factor authentication to a just-introduced USB Security Key feature. And to check the presence of fake login attempt, Facebook uses Social Graph algorithms.
Stamos also said that “Even though we provide these options, it is our responsibility to think about those people that choose not to use them.”