

Facebook Warns Users After Adobe Breach - daw___
http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/comment-page-1/

======
chrislong_
I work at Facebook on the security team that helped protect the accounts
affected by the Adobe breach. We checked the plaintext passwords that had
already been worked out by researchers. We took those recovered plaintext
passwords and ran them through the same code that we use to check your
password at login time. I posted a comment to the same effect on the Krebs
article earlier today.

We try to be proactive about finding sources of compromised passwords on the
Internet. Through practice, we’ve become more efficient and effective at
protecting accounts with credentials that have been leaked, and we use an
automated process for securing those accounts.

------
lsh123
A couple weeks ago after we noticed an email/password check bot running
against our service. It was going through the list of emails from the Adobe
(we didn't decrypt passwords though, just emails match). The bot itself was
blocked by our system but we emailed our users that had their email/password
tested. The funny part is that the bot had a bug: it followed the returned 302
redirect. Since it was coming from China's IPs, we started to reply with
redirects to www.gov.cn and the bot stopped in about an hour after that.
Obviously, someone got a visit from China's KGB :) :) :)

~~~
anfedorov
Curious... that's not the first I've heard of this happening recently.

------
Mtinie
My first reaction was "Hey, that's a great idea, it will probably protect a
bunch of people."

My second reaction was to wonder if this sets a precedent for Facebook that
may bite them in the ass in the future. Are they going to do this for every
major data-breach that occurs? Furthermore, is it even legal for their team to
be in possession of that "publicly available" list of Adobe user passwords? A
lot of stuff is available on the Web, but that doesn't mean it's all legal to
possess.

~~~
X-Istence
What if this was not from the publicly available list? How would they even
know that the password used by the user on Facebook is the same as the
password used by the user on Adobe?

They would need to have the decryption key to be able to verify that ...

------
eurleif
So does this imply Adobe gave Facebook a list of user passwords?

~~~
nacs
Those were/are publicly available in a multi-GB download around the net.

~~~
Buge
But the passwords are encrypted (not hashed) with a key that as far as I know,
is not publicly available.

------
rodrodrod
Explain xkcd has a good writeup on how to recover some of the user passwords
given the the encrypted password db, for those curious:

[http://www.explainxkcd.com/wiki/index.php?title=1286:_Encryp...](http://www.explainxkcd.com/wiki/index.php?title=1286:_Encryptic)

------
mtsmithhn
Facebook just took the known emails/passwords from Adobe and ran them through
their own password encryption routine and checked for a match. For matches
they reset the passwords on the FB accounts.

~~~
Buge
But the passwords aren't exactly known.

The only way to know them is to have people manually examine the password
hints and guess (without confirmation of whether the guess was right or not).
It's funny trying to picture Facebook employees looking through 150 million
password hints trying to guess passwords.

------
csense
xkcd on password re-use: [http://xkcd.com/792/](http://xkcd.com/792/)

