Sophos Cloud Optix
If you’ve used the same email account/password combo on Facebook and Adobe, Facebook has probably already pushed your account into a closet and locked the door.
It won’t let you out until you change that password, security journalist Brian Krebs reported on Monday.
As Krebs reports, Facebook’s security team is now mining the data leaked from the Adobe breach to find users who – let’s not mince words, here, since we should all know better by now – committed the egregious security sin of using the same password to login to both Facebook and Adobe.
Those password sinners are now receiving this message:
Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.
The accounts aren’t shut down, per se – they’re just being kept out of the public eye, where any malicious user who’s wiggled email accounts/passwords out of Adobe’s data set could have used the same login information to hijack an identically credentialed Facebook account.
After answering a handful of security questions and changing their passwords, the users’ accounts will be let out of the closet.
Facebook is telling such users that for their own sake, “no one can see you on Facebook until you finish”.
Krebs reports that Diapers.com and Soap.com sent similar notices to their customers on Sunday.
It’s for our own good, of course.
The Adobe hack, which the company revealed in October, involved a huge dump of Adobe’s customer database being published online, stuffed with an eye-popping 150,000,000 breached customer records.
To make matters worse, the data included passwords that had been encrypted rather than hashed and revealing password hints stored in clear text.
In his analysis of what’s looking to be the biggest password disaster of all time, Naked Security’s Paul Ducklin details how it’s easy to recover a startling amount of information from Adobe’s encrypted-but-not-hashed data set.
Hell, I’m a crypto-idiot, and even I could see how easy it would be to crack passwords after reading Paul’s article (granted, I had to read it three times).
If you’re like a large number of commenters on Krebs’s story, you’re probably asking how Facebook is able to find users who have used the same password on both websites without repeating Adobe’s errors and storing passwords in clear text or encrypted form.
Chris Long, a security incident response manager at Facebook, actually chimed in to give this explanation in a comment on the story:
We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.
In simple terms Facebook doesn’t store their users’ passwords, they pass them through one-way hashing functions and store the result. Passwords can be used to create hashes but hashes can’t be used to recreate the passwords that made them.
When somebody logs in to Facebook the password they hand over is passed through the same one-way hashing function and if the result matches what Facebook has on record that user is allowed in.
Facebook can use the same process on passwords that researchers have recovered from the Adobe data. If they pass an Adobe user’s recovered password through their hashing function they can see if the result matches what they have on record for that user.
Clearly, Facebook didn’t have to be Big Brotherish in its data-mining operation.
Given the easily cracked passwords and their corresponding email addresses, it seems like a no-brainer for Facebook to be able to compare the passwords post-hash.
Not only is Facebook being non-Big-Brotherish, it’s being proactive in protecting customers, for which it deserves hearty kudos. If only all companies shepherded their customers’ data in this manner.
Another good thing to come out of Facebook’s move is that, hopefully, those poor, password-sinning customers are going to take the lesson about password reuse to heart.
Make sure your family, your friends, your colleagues and anybody else you can think of are choosing strong passwords, at least 12 characters long, that mix letters, numbers and special characters.
If those passwords are impossible to remember, that’s good – all the better. That’s what they make password managers like LastPass or KeePass for.
Thanks to my password manager, I couldn’t tell a hacker any of my passwords even if they used the sweetest social engineering honey in the world.
Obviously, we’re always talking about not reusing passwords at Naked Security but it’s just one of our 3 essential security tasks. So while you’re fixing your passwords please do the other 2 tasks as well.
To stay on top of all things Facebook, consider joining up with Naked Security on our Facebook page.
How can facebook be aware someone is using the same email/password combo?
Read the article…
“When somebody logs in to Facebook the password they hand over is passed through the same one-way hashing function and if the result matches what Facebook has on record that user is allowed in.
Facebook can use the same process on passwords that researchers have recovered from the Adobe data. If they pass an Adobe user’s recovered password through their hashing function they can see if the result matches what they have on record for that user.”
You’ll have to read again carefully. But basically Facebook hijacked the already hijacked personal info for their own purposes.
Let me see if I got this straight. Hackers steal 150,000,000, then abandons them in a website. Facebook “liberates” the stolen passwords and uses them.
Anaolgy: Hacker steals car for joy ride, abandons it on street with the keys in it. Facebook drives off in it.
I’ll be impressed if you can convince me that the facebook “hero’s” aren’t in possession of stolen property. Then explain who gave them the right to harvest and use the hashed passwords of the people who aren’t facebook users.
Seems to me facebook should be forced by threat of prosecution to delete all the passwords they harvested.
For the sake of a counter argument, i’ll attempt to respond..
Although i can’t comment on the actual act of what they did (they did have plain-text pass/username pairs to perform the check at some point), i can say it could be done in a fashion that didn’t expose the plain-text credentials to facebook employees or the individuals in charge for the audit.
1. Grab raw data. IE. plain-text username (email addresses) and passwords. (This is the questionable part)
2. Parse out all non facebook users based off of raw data and facebook username data. This can easily, and suggested, to be scripted out to automate the process against a huge amount of data.
3. Now that you are only left with facebook users, all you’d have to do is loop through every user/pass combo and hash the pass according to facebook’s regular login function. Then compare to what facebook has on record for that username.
4. If it matches, ‘closet’ the facebook account. If not, continue to the next iteration of the loop.
5. Profit.
Since I don’t know all the information here, I wonder if their use of these ‘passwords’ violates state or government laws. Since the data is stolen, it would appear that, if like property you could not use it. I don’t like them doing this as it means another ‘track’ of yourself is on the web. Not good news.
Jack
If Facebook is able to use the same password hash found in Adobe’s stolen database to compare to their password hashes, then does that mean that Facebook uses the same insecure hashing algorithm as Adobe?
No it doesn’t, not at all.
Adobe’s passwords weren’t hashed at all, they were encrypted in a way that made it easy to figure out the passwords once the database had been raided. What’s more they were stored with clear text password hints that made it even easier to guess the passwords.
So what we’re left with from the Adobe breach is not a bunch of hashes or a bunch of safely encrypted passwords but a bunch of actual honest-to-goodness clear text passwords like ‘monkey’, ‘password1’ and ‘12345’.
Facebook are using the usernames and passwords that have been exposed and, in effect, they’re just seeing if they can use them to log into Facebook. If a specific username and password that worked on Adobe also works on Facebook then the account is ‘closeted’.
As somebody else described it on here it’s a bit like finding a key for one house and seeing if it works on another. It says nothing about the lock if it does – locks are supposed to open if they’re given the correct key – but it says everything about how poorly the key’s owner was looking after it.
Angelo, for that subset of passwords that they could uncover because of the password hints and other clues, all they have to do is run the discovered password through the same hashing process that they use in their database and compare them. If they match, they are the same password. If the hashes do not match, they different.
Magyver, A better analogy would be that they found someone’s “Adobe house” key on the sidewalk, realized that the key would also open the door to the “Facebook house”, and have secured their own home with additional protections until the lock is changed.
As for the stolen property bit, if that were the law, the MPAA would have made use of that tactic a log time ago.
Wow, looks like folks didn’t read the article carefully. What it said was all correct and proper. Facebook didn’t “steal” your passwords, nor did they do anything illegal. What they did, and what the article said they did, was take the *already-exposed* passwords from Adobe’s database (that hackers have already published) and then passed them through the same routine that is used when you enter your password to log in to Facebook. If the resulting “hash” matches the hash stored in the Facebook database, then that means the two passwords are the same. Period.
“After answering a handful of security questions and changing their passwords, the users’ accounts will be let out of the closet.
They’ll then be asked to answer a few security questions and then change their password.”
So uh… They’ll be asked questions, change their password, then be asked questions and change their password again? Why did you repeat yourself here?
Thanks for pointing out – this is now fixed.
So you are suggesting instead of using a password we can actually remeber we should put all of our faith in a couple of 3rd party applications (LastPass or KeePass) and give them all of our details to everything we own and value and hope that the same thing never happens to them and that they dont ever get tempted to do anything with all of this information?
This is not a solution!
Yes, that’s what we’re suggesting. As with most things, it’s a compromise, but it is – in our collective opinion – the least bad.
If you can create strong passwords (random mixtures of 12+ characters) for each and every website you use and remember them then please do because that would be even better.
For most people this is not good advice, it’s secure but it’s not achievable or realistic.
If you prefer not to store your passwords with ‘cloud’ services then store them in a local key chain on your computer. A lot of people are fans of the Correct Horse Battery Staple approach but I’m not sure it scales to hundreds of passwords. You could also write down mnemonics that help you, but not thieves, remember your passwords.
But whatever you do please don’t reuse your passwords.
In general, I despise Facebook for their high-handed and cavalier attitude towards its members’ private information. In this case, however, I cannot praise them enough.
First, they are protecting their users from having their Facebook accounts compromised (thereby protecting the data Facebook has worked so hard to worm out of them) but they are also providing a concrete, in-your-face education to those compromised Adobe users who use the same password at Facebook.
If it wouldn’t give ideas to blackhats (and anyone capable of taking advantage of the attach has almost certainly thought of it), it would be interesting to know how many accounts Facebook has closeted.
Lance ==)———-
P.S. FWIW, it turns out that I had a long-forgotten account on Adobe that used a password I shared with almost 100 other users.
For anyone in IT, remembering your 12+ character passwords in your head is mandatory and realistic. It wasn’t easy at first, but I login to my sites on a rotation at first. Pretty soon, I was able to rotate the passwords as well.
tl:dr Practice, Practice, Practice.