n a bid to keep its users’ accounts safe, social networking site Facebook has created an automated service that monitors the web for stolen email addresses and passwords.
The service checks credentials to see if they match those being used on Facebook.
Once it finds a set of stolen credentials, it passes the data into a programme that analyses it in computer language.
An automated system then checks it against the Facebook database to see if any of the email addresses and hashed passwords match login information on Facebook.
“Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites,” Facebook’s security engineer Chris Long wrote in a Facebook post.
“We built a system dedicated to further securing people’s Facebook accounts by actively looking for these public postings, analysing them and then notifying people when we discover that their credentials have shown up elsewhere on the Internet,” he said.
If it finds a match, Facebook notifies the affected user the next time they log in and guides them through a process to change their password.
1. Once we find a set of stolen credentials, we pass the data into a program that parses it into a standardized format.
2. After the data has been downloaded and parsed, an automated system checks each one of them against the Facebook internal databases to see if any of the email addresses and hashed passwords match valid login information on Facebook. We hash each password using our internal password hashing algorithm and the unique salt for that person. Since Facebook stores passwords securely as hashes, we can’t simply compare a password directly to the database. We need to hash it first and compare the hashes.
3. If the email and hash combination doesn’t match, we don’t take any action. A mismatch indicates that the stolen password is different than the password you use on Facebook, and therefore an attacker wouldn’t be able to use that password to access your Facebook account.
4. If the email address and hash combination does match, we will notify you the next time that you use Facebook and guide you through a process to change your password. Changing your password will invalidate the stolen password and help protect Facebook account.
Source and Original Content by ndtv.com