This article is more than 1 year old

Facebook slurps 'paste sites' for stolen passwords, sprinkles on hash and salt

Zuck's ad empire doesn't see details in plain text. Phew!

Facebook's security bods routinely trawl public "paste" sites for email addresses and passwords stolen from its users, as part of an effort to outfox wrongdoers trying to hack into personal data on the free content ad network.

However, the Mark Zuckerberg-run company was at pains to point out that the data-slurping battle with the dark web didn't lead to Facebook storing its users' passwords in plain text.

"Unfortunately, it's common for attackers to publicly post the email addresses and passwords they steal on public 'paste' sites," said Facebook security engineer Chris Long in a blog post.

"Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public lists, and responding to these situations is time-consuming and challenging."

Data theft online is now big business, so Facebook has unleashed machines to try to tackle the problem, whack-a-mole style, before it becomes a huge headache for Zuck's siloed empire.

The rather inelegant system automatically sifts through sites, presumably such as, to look for instances where Facebook account details, including email addresses and passwords, are shared publicly online.

Long explained that the company eyeballs reports of "large scale data breaches" and monitors a number of paste sites for stolen credentials. It then automatically scrapes the details, before comparing the information with its own system to search for matches so as Facebook can then tell a user where data theft has occurred.

He added:

This is a completely automated process that doesn't require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time.

If we find a match, we'll notify you the next time you log in and guide you through a process to change your password.

The data is parsed into a standardised format, Long said. Facebook's system that automatically checks each potential breach against its internal databases to see if matches can be found.

"We hash each password using our internal password hashing algorithm and the unique salt for that person. Since Facebook stores passwords securely as hashes, we can't simply compare a password directly to the database. We need to hash it first and compare the hashes," he said.

Facebook doesn't inform the user if matches aren't found on its system, but it has a procedure in place where such violations have been flagged up. Facebookers are told of the breach and prompted to enter a new password, Long said.

The security strategy was revealed by Facebook after a fraudster publicly posted what was purported to be a cache of no less than 7 million Dropbox login credentials onto Pastebin. ®

More about


Send us news

Other stories you might like