Paste sites are where hackers and others wishing to remain anonymous go to dump sensitive information. Those websites are also where Facebook is now looking to track down information about user accounts that have been compromised.
If Facebook finds credentials that match one of its users' accounts, the social networking site will notify the individual of the security issue the next time he or she logs in. Facebook will guide the user through the steps of changing his or her password, but asserts that the process of tracking compromised credentials is automated.
"This is a completely automated process that doesn't require us to know or store your actual Facebook password in an unhashed form," says Chris Long, a Facebook security engineer. "In other words, no one here has your plain-text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time."
After Facebook's automated search pinpoints leaked credentials associated with one of its users' accounts, its software encrypts the information and compares the data with account details stored in its servers. Because the same algorithms are used to encrypt leaked and stored passwords, the software is able to determine if the exposed data is associated with a Facebook account without having to store the plain-text version of the information.
If the suspected leaked credentials don't match up with any information on Facebook's servers, the social networking site won't take any further action with regard to the data.
"This system has worked very well for us in the past, but we recognize that preventing stolen credentials is also important," says Long. "The problem of password reuse on multiple websites is endemic and well-documented. The risks are also clear: if you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts."
The inside look into Facebook's security efforts continues the social networking site's celebration of National Cyber Security Awareness Month. In an Oct. 3 post, Matt Jones, a site integrity engineer, detailed how Facebook goes after individuals who sell manufactured likes and hack into user's accounts to place spam promotions.
"We have obtained nearly $2 billion in legal judgments against spammers, and we utilize these channels when possible to remind would-be offenders that we will fight back to prevent abuse on our platform," said Jones in the post.
