Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Warns Users After Adobe Breach (krebsonsecurity.com)
42 points by daw___ on Nov 11, 2013 | hide | past | favorite | 13 comments

I work at Facebook on the security team that helped protect the accounts affected by the Adobe breach. We checked the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time. I posted a comment to the same effect on the Krebs article earlier today.

We try to be proactive about finding sources of compromised passwords on the Internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts.

A couple weeks ago after we noticed an email/password check bot running against our service. It was going through the list of emails from the Adobe (we didn't decrypt passwords though, just emails match). The bot itself was blocked by our system but we emailed our users that had their email/password tested. The funny part is that the bot had a bug: it followed the returned 302 redirect. Since it was coming from China's IPs, we started to reply with redirects to www.gov.cn and the bot stopped in about an hour after that. Obviously, someone got a visit from China's KGB :) :) :)

Curious... that's not the first I've heard of this happening recently.

My first reaction was "Hey, that's a great idea, it will probably protect a bunch of people."

My second reaction was to wonder if this sets a precedent for Facebook that may bite them in the ass in the future. Are they going to do this for every major data-breach that occurs? Furthermore, is it even legal for their team to be in possession of that "publicly available" list of Adobe user passwords? A lot of stuff is available on the Web, but that doesn't mean it's all legal to possess.

What if this was not from the publicly available list? How would they even know that the password used by the user on Facebook is the same as the password used by the user on Adobe?

They would need to have the decryption key to be able to verify that ...

So does this imply Adobe gave Facebook a list of user passwords?

Those were/are publicly available in a multi-GB download around the net.

But the passwords are encrypted (not hashed) with a key that as far as I know, is not publicly available.

It seems they must have, unless Facebook brute-forced or otherwise obtained the key which the database used to encrypt (two-way encryption, big no-no) the passwords.

Based on this article it's not immediately obvious how Facebook checked/knew that the password was in the pile, as opposed to just the user's email address. I'd think this means either they were given the encryption key by Adobe, Adobe simply gave them the plaintext keys, or they managed to get the key themselves (if it was weak).

Ninja edit: It appears there are sophisticated ways of figuring out the passwords without getting the key, and this is mentioned briefly in the bottom of the OP article. Also, this is the source for that info [0]

[0] http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-pass...

Explain xkcd has a good writeup on how to recover some of the user passwords given the the encrypted password db, for those curious:


Facebook just took the known emails/passwords from Adobe and ran them through their own password encryption routine and checked for a match. For matches they reset the passwords on the FB accounts.

But the passwords aren't exactly known.

The only way to know them is to have people manually examine the password hints and guess (without confirmation of whether the guess was right or not). It's funny trying to picture Facebook employees looking through 150 million password hints trying to guess passwords.

xkcd on password re-use: http://xkcd.com/792/

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact