clock menu more-arrow no yes

Filed under:

Facebook is actively trawling the dark web for stolen passwords

New, 27 comments

As Dropbox learned earlier this week, password dumps are a regular occurrence on today's web. Thanks to duplicated passwords and security breaches across the web, just securing a company's servers isn't always enough to keep user passwords out of the hands of criminals.

Reusing passwords is still a very bad idea

Today, Facebook announced a new approach to the problem. For the past few months, they've been searching anonymous posting sites like Pastebin for leaked passwords and proactively trying out the passwords on Facebook accounts. If they get a hit, the user is notified and their password is automatically reset. The hope is, if a working Facebook password finds its way onto the dark web, Facebook will find it before any criminals do. The core of the problem is still password recycling, which (just to be clear) is still a very bad, no-good idea. "If you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts," Facebook security engineer Chris Long said in a public post announcing the project. But as long as users keep doing it, Facebook will find a way to try to protect them.

It's a sign of how the security world has shifted in recent years. What used to be a public catastrophe is now easily protected against by ecosystem-level protections. Actual hacks are still a real concern, but password dumps that recycle old data from old hacks are causing less damage and raising less of an alarm. If you've ever worried about Russian hackers taking over your Facebook page, that's very good news.