If you’ve used the same email account/password combo on Facebook and Adobe, Facebook has probably already pushed your account into a closet and locked the door.
It won’t let you out until you change that password, security journalist Brian Krebs reported on Monday.
As Krebs reports, Facebook’s security team is now mining the data leaked from the Adobe breach to find users who – let’s not mince words, here, since we should all know better by now – committed the egregious security sin of using the same password to login to both Facebook and Adobe.
Those password sinners are now receiving this message:
Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.
The accounts aren’t shut down, per se – they’re just being kept out of the public eye, where any malicious user who’s wiggled email accounts/passwords out of Adobe’s data set could have used the same login information to hijack an identically credentialed Facebook account.
After answering a handful of security questions and changing their passwords, the users’ accounts will be let out of the closet.
Facebook is telling such users that for their own sake, “no one can see you on Facebook until you finish”.
Krebs reports that Diapers.com and Soap.com sent similar notices to their customers on Sunday.
It’s for our own good, of course.
The Adobe hack, which the company revealed in October, involved a huge dump of Adobe’s customer database being published online, stuffed with an eye-popping 150,000,000 breached customer records.
To make matters worse, the data included passwords that had been encrypted rather than hashed and revealing password hints stored in clear text.
In his analysis of what’s looking to be the biggest password disaster of all time, Naked Security’s Paul Ducklin details how it’s easy to recover a startling amount of information from Adobe’s encrypted-but-not-hashed data set.
Hell, I’m a crypto-idiot, and even I could see how easy it would be to crack passwords after reading Paul’s article (granted, I had to read it three times).
If you’re like a large number of commenters on Krebs’s story, you’re probably asking how Facebook is able to find users who have used the same password on both websites without repeating Adobe’s errors and storing passwords in clear text or encrypted form.
Chris Long, a security incident response manager at Facebook, actually chimed in to give this explanation in a comment on the story:
We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.
In simple terms Facebook doesn’t store their users’ passwords, they pass them through one-way hashing functions and store the result. Passwords can be used to create hashes but hashes can’t be used to recreate the passwords that made them.
When somebody logs in to Facebook the password they hand over is passed through the same one-way hashing function and if the result matches what Facebook has on record that user is allowed in.
Facebook can use the same process on passwords that researchers have recovered from the Adobe data. If they pass an Adobe user’s recovered password through their hashing function they can see if the result matches what they have on record for that user.
Clearly, Facebook didn’t have to be Big Brotherish in its data-mining operation.
Given the easily cracked passwords and their corresponding email addresses, it seems like a no-brainer for Facebook to be able to compare the passwords post-hash.
Not only is Facebook being non-Big-Brotherish, it’s being proactive in protecting customers, for which it deserves hearty kudos. If only all companies shepherded their customers’ data in this manner.
Another good thing to come out of Facebook’s move is that, hopefully, those poor, password-sinning customers are going to take the lesson about password reuse to heart.
Make sure your family, your friends, your colleagues and anybody else you can think of are choosing strong passwords, at least 12 characters long, that mix letters, numbers and special characters.
If those passwords are impossible to remember, that’s good – all the better. That’s what they make password managers like LastPass or KeePass for.
Thanks to my password manager, I couldn’t tell a hacker any of my passwords even if they used the sweetest social engineering honey in the world.
Obviously, we’re always talking about not reusing passwords at Naked Security but it’s just one of our 3 essential security tasks. So while you’re fixing your passwords please do the other 2 tasks as well.
To stay on top of all things Facebook, consider joining up with Naked Security on our Facebook page.