Facebook is buying stolen passwords on dark web black markets to cross-reference them with encrypted passwords already in use on the site.
Alex Stamos, chief security officer at the social media giant, disclosed the information at the Web Summit in Lisbon.
Although he described the process as "computationally heavy," he said his company has been able to alert millions of users about resetting their vulnerable passwords to a stronger alternative, effectively ensuring users' account and data safety.
“The reuse of passwords is the No. 1 cause of harm on the internet," Stamos said at the conference according to CNET.
Kunal Anand, co-founder and Chief Technology Officer at Prevoty agreed with Stamos adding that it's a smart move and a continuation of Facebook trying to protect its users on and off the social network.
“Most people re-use passwords across multiple accounts and with Facebook buying stolen passwords, the social network can help reduce risk for individuals,” Anand told SC Media via emailed comments. “It helps buy user trust (people will associate Facebook with being the "good person") and helps reduce customer service/security associated costs down the road.”
Other security experts highlighted that then need to purchase the passwords from the darkweb highlights even bigger issues within the overall approach to security.
“This episode further underscores the undeniable weaknesses of 30-year password technology and the urgent need to move to multi-factor authentication which provides far great security and ease of use for consumers,” VASCO Data Security Vice President John Gunn told SCMedia via emailed comments. “Some may argue that paying to purchase stolen passwords will only encourage more hacking attacks just as paying ransom provides incentives for additional ransomware attacks.”
He went on to say that the attacks are going to happen regardless and the incentive for hackers already exists and that any action that enhances protection hurts criminal hackers and makes their attacks less effective
