
Facebook sees 600,000 compromised logins per day&#8212;0.06% of all logins - evo_9
http://arstechnica.com/gadgets/news/2011/10/facebook-sees-600000-compromised-logins-per-day006-of-all-logins.ars
======
mkjones
It's probably worth clarifying that a "compromised login" means "you know the
username and password for an account, but we suspect you may not be the actual
account holder." Basically, knowing someone's username and password is not
enough to get into their Facebook account.

Every time this happens, we don't let the suspicious login into the account,
and instead make them pass some additional authentication challenge. Often
this involves a "social captcha" (see [http://lifehacker.com/5743872/facebook-
experimenting-with-so...](http://lifehacker.com/5743872/facebook-
experimenting-with-social-captchas-for-authentication) or
<https://www.facebook.com/blog.php?post=486790652130>), which basically tests
that you are the account owner based on the shared knowledge of who your
friends are.

Accounts are often compromised outside the facebook ecosystem (via phishing,
malware, sharing their password with a site that was compromised, etc). I
think the fact that we catch so many is actually pretty awesome.

A more-accurate (but less link-baity) headline might be "Facebook prevents
600,000 compromised logins / day."

~~~
Joakal
I don't believe Facebook was able to prevent someone who knows enough of that
person (eg Palin attack). Or am I misunderstanding you?

~~~
notahacker
Probably the most common compromising of user accounts is friends borrowing
users' computers or mobile devices whilst the user remains logged in. I'm not
sure whether Facebook does much to prevent this, although I'm not convinced
it's reasonable to expect them to do much either.

------
dotBen
I don't understand how they have "1 billion logins a day". They only have
500-600 million accounts (and not all of those are active).

I'm assuming a "login" is the specific act of typing in your username and
password into the site to authenticate into a specific account - pertinent
here because we're talking about people logging in with compromised
credentials.

When I visit Facebook, I'm usually cookied and so to me that isn't a login. If
I had compromised the account I wouldn't consider myself 're-compromising it'
just by visiting it again with the cookie already in place.

Maybe this is just semantics but seeing as we're making a headline out of a
stat, it seems worth drilling down on.

~~~
alexgartrell
> They only have 500-600 million accounts (and not all of those are active).

Nope, we have 800+ million monthly active users (logged in w/i the past
month). On one day, we had 500+ million active users in a single day. Though I
don't know the exact number, it's probably safe to assume that not every
account was logged into in the past month (people pass away, etc.), so the
number of accounts is probably larger than 800 million.

~~~
dotBen
_we have 800+ million monthly active users_

Assuming we = you work for FB, can you help us out with what a "login" is
defined as internally, given that the stat is 1 billion logins a day and
you're saying you have 500+m active users.

...does that mean on average every user _physically_ logs into the site
(username + password) twice a day?

~~~
mkjones
In this case, "login" means roughly "we see a username / password pair and
evaluate whether or not it is compromised given the current context."

(I work on the team that does these classifications.)

------
Retric
Wait, 0.06%/day * 365 ~= 21.9% per year. And they think that's a good thing?
How about a ~50/50 chance your account will be compromised every 2.5 years?

PS: Ok, 1-(1-.0006)^(2.5 *365) = 42% but that's still terrible odds IMO.

~~~
prophetjohn
It's still 0.06% of all logins per year. You have to multiply 365 by the 1
billion logins every day, too, not just the 600K fraudulent ones.

~~~
Retric
What's important is the number of accounts compromised not the number of
successful logins. I doubt their numbers are all that accurate, and some
accounts are probably compromised several times a day etc, but I can't see how
you can look at those numbers and things "this is a good thing".

~~~
prophetjohn
The number of accounts compromised (or really, the number of times an account
is compromised) has to be put in context. The context is the number of logins
per unit time. So, I think they're both important.

And I don't think anyone is saying that any number of compromised accounts is
a good thing. I question how much control Facebook has, though, given that
many people will inevitably have passwords such as "abcd1234."

~~~
Retric
I agree you need context, but login's is only meaningful logging in where to
compromise an account. If the issue is brute forcing passwords then time is
the only meaningful context. As to passwords, it's easy enough to prevent
overly common passwords just prevent someone from using overly easy to guess
passwords, and throttling failed loggins for a given act to 20 / hour per IP
makes dictionary attacks all but useless anyone without a bot net.

