Facebook buys black market password dumps to protect user accounts

Not many companies these days have been as good as Facebook at keeping their name out of the headlines for security breaches, and this in large part is due to the work of its security team — headed by Alex Stamos.

Facebook has added many security features over the years, things like two-factor authentication, unrecognized browser login notices, and more, but one of the biggest security flaws for Stamos and his team concerns passwords. Many people are lazy with their passwords, using the same one everywhere or picking easy-to-guess combinations like 1234567, and while Facebook’s team has developed the above security measures to help make even accounts with weak passwords safe, the fact is that many Facebook users don’t make use of them.

During Web Summit in Lisbon, Portugal, Stamos noted this weak point in security and talked about the responsibility of the social network to protect all accounts on Facebook, even the ones who don’t make use of all the security features. “The reuse of passwords is the number one cause of harm on the internet,” Stamos said at the conference.

But one tactic the company is taking to ensure the security of these password-only accounts is to go to the black market and buy stolen passwords from hackers, and then cross-referencing those against encrypted passwords in the Facebook system, looking for matches.

A security system is only as strong as its weakest link, and in the case of Facebook and the vast majority of the web at this point, that weak link is the username/password system that has been in place since the web was invented.

While the company might be criticized for funneling money to the hacking economy, it is at the same time impressive to see a corporation such as Facebook thinking outside of the box when it comes to protecting our social accounts.