Facebook is Buying Your Passwords on the Black Market

With an increasing number of mid-sized social networking and media websites being hacked en masse – MySpace, LinkedIn, Badoo, and tumblr are listed in the top-ten mass security breaches on Have I Been Pwned?, with hundreds of millions of accounts compromised – it’s rare to hear stories of social media king Facebook suffering large-scale account compromises. One major reason for that is that the company buys black market passwords from hackers to cross-reference with existing user passwords, Facebook’s Chief of Security Alex Stamos revealed during a web summit in Lisbon this week.

“To check that Facebook members are not choosing these commonly used passwords for their accounts, Stamos revealed, the social network buys passwords hackers are selling on the black market and cross-references them with encrypted passwords used on the site,” reports CNet’s Katie Collins. “He described the task as “computationally heavy” but said that as a result of the exercise Facebook has been able to alert tens of millions of users that their passwords needed changing because they weren’t strong enough.”

Stamos joined Facebook from Yahoo in 2015, and his primary role is detecting and preventing threats against user accounts. Most of the problems he deals with, unsurprisingly, is passwords. “The reuse of passwords is the No. 1 cause of harm on the internet,” he said.

While Facebook offers additional security measures to its users, it can never be assumed that everyone is using them: “Even though we provide these options, it is our responsibility to think about those people that choose not to use them,” Stamos added.

Facebook is examining new ways of securing accounts and is considering implementing a system by which nominated close friends to help verify account recovery requests. “Usernames and passwords are an idea that came out of 1970s mainframe architectures,” Stamos said. “They were not built for 2016.”