Facebook Designs Stolen Credentials Parsing System

Facebook has built an automated system designed to analyze data from online published credential leaks, according to their announcement.

Facebook users are going to be prompted if their usernames and passwords match the ones leaked online.

This measure is going to protect users who have been compromised in third-party data breaches and have the same credentials on Facebook.

The primary source seems to be Pastebin and other online repositories, as for the information, the process is completely automated and “doesn’t require us (Facebook) to know or store your actual Facebook password in an un-hashed form,” said Chris Long, Facebook’s Security Engineer.

“In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time.”

When Facebook stores passwords, they are in a hashed form generated by a proprietary algorithm and a unique salt is added for each user.

Now Facebook’s system checks for online credentials leaks and automatically parses them all. Then they cross-check every email and hashed password to their user database.

“If the email address and hash combination does match, we will notify you the next time that you use Facebook and guide you through a process to change your password.”

“Changing your password will invalidate the stolen password and help protect Facebook account.”

The issue with leaked third-party credentials is that users often reuse passwords for other services.

Users are advised to employ two-factor authentication and never reuse their credentials from other services.