SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Facebook Enters the Online Black Market to Buy Back Passwords

Posted on December 21, 2016

With years of high-profile hacks and huge numbers of stolen passwords already in the history books, it’s no surprise that there’s a black market on the web for dealing with this hacked data. What you might not know, however, is that the purchasers of such information aren’t always those with a malicious purpose. Rather than some spammer or botnet operator buying up your stolen password, it could actually be Facebook. Why would the social media giant head onto the dark web to purchase illegitimately obtained user information, though? The answer is quite simple: it helps to bolster their own security immensely.

Facebook’s user base is so immense that it’s a sure bet some of its users will appear in password dumps sold on the black market. After receiving the passwords, they check the contents of the database against their own users. If any of the same passwords show up, Facebook flags the user’s account as needing a password reset. The user must then reset their password before they can log back in; this prevents malicious and unauthorized access to the account. The result is a safer, more secure social platform and hopefully some increased awareness about password security.

It’s important to note that Facebook doesn’t store user passwords in any form immediately readable by anyone with access to the database. Instead, an algorithm generates an alphanumerical code known as a “hash” for each password. Facebook hashes the databases of stolen passwords they purchase as well, using the results to check their own hashed passwords. This method allows them to detect whether a password has been used twice without actually knowing what it is in clear text.

Facebook isn’t the only company to take such steps; as a matter of fact, a similar practice has arisen in the financial sector. Banks often look to secure dumps of credit and debit card information, allowing them to pre-emptively deactivate them before identity theft occurs. While it is an extreme step, it’s certainly a necessary one in today’s world.

While no one can provide a 100% safeguard against hackers who steal passwords, this is one highly effective way to mitigate the potential for damage. However, it’s no substitute for one of the basic rules of password creation: never re-use the same password on more than one website. Isolate your passwords from one another — it’s a much safer way to browse.

  • Don Ruhl

    Thanks, this is good to know.

Join our mailing list for the latest security news and deals