Facebook Automates Fight Against Hackers

Facebook: 10 New Changes That Matter

When a hacker reportedly stole 7 million Dropbox user credentials this week, Facebook ensured that the leaked data didn't compromise your Facebook account. Today, the social network offered a peek into the system it uses to keep users' accounts secure, even when other websites are breached.

"Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites," said Chris Long, security engineer at Facebook. "Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public ['paste'] lists, and responding to these situations is time-consuming and challenging."

Facebook's automated system scans for large-scale data breaches and monitors a selection of sites that hackers commonly use to divulge the stolen data. "Once we find a set of stolen credentials, we pass the data into a program that parses it into a standardized format," Long said.

[Catch up on the latest Facebook changes. Read Facebook: 10 New Changes That Matter.]

After Facebook's system downloads and parses the data, it hashes each password using its own internal algorithm. Hashing turns a plain-text password into a string of characters that are nearly impossible to decipher.

Because Facebook stores passwords as hashes, the company can't compare a password directly to the hacker's database. "We need to hash it first and compare the hashes," Long explained.

Facebook then uses an automated system to compare each password against its own database of email addresses and passwords for matches. If the hacked credentials match up to your Facebook credentials, the company will guide you through a process to change your password the next time you log in.

If the email and hash combination doesn't match, it means the stolen password is different from your Facebook password, so hackers won't be able to use that information to access your account.

"The problem of password reuse on multiple websites is endemic and well documented," Long said. "The risks are also clear: If you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts."

While Facebook's process aims to keep your account secure, there are other steps you can take to improve your safety.

Facebook's Login Approvals option uses two-factor authentication to verify your access from a browser you haven't used before. To enable this, visit your Security Settings page, check the box next to the Login Approvals option, and click Save Changes.

Your Security Settings page has other options you can opt into to keep your account safe. These include alerts via email, text, message, and push notification if your account is accessed from a computer or device you haven't used before; adding friends to your Trusted Contacts list, which Facebook will notify if you've been locked out of your account; and details such as the browsers you often use and locations where you've logged into Facebook, which you can review and revoke access when necessary.

Just when conventional wisdom had converged around the cloud being a software story, there are signs that the server market is poised for an upset, too. Get the 2014 State of Server Technology report today (free registration required).