Facebook has been navigating the dark web in search of stolen passwords, buying credentials off the black market in a bid to protect users.
By purchasing stolen passwords off the black market, Facebook aims to increase its own security, as well as protect users who rely on one password for two or more accounts.
While most people know that it's highly recommended to use different passwords for each account, many still use the same passwords over and over again so they don't have to remember too many passwords. This is a liability in terms of security, however, and Facebook wants to do something about it.
Why Is Facebook Buying Stolen Passwords?
According to Alex Stamos, Chief Security Officer at Facebook, the social network buys stolen passwords off the dark web to run them against its own password database.
The mission is daunting and "computationally heavy," Stamos said, but it enabled Facebook to detect risks and warn millions of users that their passwords were insecure.
This Facebook practice is not that new, Sophos's Naked Security points out. Facebook has been running its password database against stolen passwords for a good while now, and has acted whenever it discovered vulnerabilities.
During the 2013 Adobe hack, for instance, Facebook used this method to discover which users relied on the same password to secure both their Adobe and their Facebook accounts. If it found passwords that coincided with the ones used for Adobe, Facebook locked users out of the social network until they set a stronger password.
Most residual data breaches occur due to stolen passwords sold on the black market. Those who buy the caches can use the usernames and passwords to breach the accounts for the service in question, as well as any other accounts on other services where the same credentials apply.
Keep Data Safe With Strong Passwords
Using strong, unique passwords is paramount to protecting your data, privacy and information, and that's why an increasing number of companies are taking additional steps to force their customers to beef up security. Microsoft, for instance, announced back in May that it would ban basic passwords such as "password," "12345" and others such.
Google also announced fairly recently that Chrome would call out unsecure websites in a bid to protect users' passwords and sensitive information such as credit card details.
Buying Stolen Passwords - The Dilemma
Buying stolen passwords, however, raises some concerns. Even if the purpose is to beef up security, some security professionals argue that buying stolen data is still shady. On the other hand, others believe that since the data is already up for grabs, it's better for a company to buy it and increase security rather than having the information fall into the wrong hands.