Last Wednesday, the Chief Security Officer of Facebook, Alex Stamos, said at the Web Summit in Lisbon the social media giant bought stolen passwords on the black market. He claimed Facebook does this to keep the platform and its users safe.
Stamos’ statement came during a cyber security talk he was imparting at the Web Summit. The Facebook CSO previously held the same position at Yahoo, but he left back in 2015 due to a fundamental disagreement with the company’s security practices.
This last couple of months has shed some light on to why Stamos left Yahoo. The company was the subject of the biggest hack in history with half a billion compromised accounts, and it was unveiled that Yahoo willingly live fed the NSA with users’ emails as well.
Facebook is secure, but users make it unsafe for themselves
During his panel at Web Summit 2016, Alex Stamos talked about the essential difference between security and safety when it comes to Facebook as a social network.
Security, as he put it, is an inside-out effort from Facebook to ensure the platform is a virtual fortress. External threats such as hacks and DDoS attacks are all taken care of by Facebook’s security team.
In contrast, safety concerns users of the social network, and it inevitably deals with a human element. People who use the same password on every account they have online are potentially putting themselves at risk of being hacked.
“Usernames and passwords are an idea that came out of the 1970s mainframe architectures. They were not built for 2016,” Stamos said. “The reuse of passwords is the No. 1 cause of harm on the internet,” the CSO added.
Why did Facebook buy stolen passwords in the Black Market?
If someone reuses their password across several accounts on the Internet, there is a possibility one of them becomes compromised. That, in turn, can get all their others account hacked if that password makes it to the wrong hands.
As it turns out, half of this process is something that might have already happened. Hackers get access to thousands of accounts that use passwords such as ‘123456’ and sell them on the black market for profit.
This is where Facebook comes in to buy the stolen passwords. The company runs the password batch through a program that matches those passwords with Facebook accounts that have the same one. The social media giant then issues an alert to the users to prompt them to change their password.
Does this mean that Facebook knows your password?
Many question this security practice by Facebook, but several other companies engage in the same password buyout to keep their users safe. Moreover, Facebook never actually knows what the passwords are, as the code deals with the matching without really decoding or showing the elements of the password.
Stamos reminded users that Facebook has a large security settings page they can always tweak to their needs. The company is also looking into new safety measures for password and account recovery, but they are still under development.