Facebook mines Adobe breach data for reused passwords, warns users to change them or disappear

Summary:Facebook is mining the leaked Adobe file containing over 100 million email and password combinations to improve its users' password security.

Facebook has concealed the profiles of anyone on the social network who used the same email and password combination as those exposed after the recent Adobe hack — at least until they change their passwords.

The Adobe hack, revealed in October , and the subsequent leak of a file containing over 100 million encrypted usernames and passwords of Adobe account holders could be the best illustration of the number one rule of good password security: pick different passwords for different accounts.

To keep things simple, users not only pick easy-to-guess passwords, but they often use the same passwords for multiple online accounts. The problem with that is, if hackers nab a password for one service, they can typically use it to enter another.

As reported on Krebsonsecurity.com, Facebook's security team is currently mining the data leaked from the Adobe breach to find its users who relied on the same email and password combination to login to both Facebook and Adobe. 

Thanks to the team's efforts, some of its users are receiving this message: "Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places."

They'll then be asked to answer a few security questions and then change their password. The message notes that for their safety, "no one can see you on Facebook until you finish".

A spokesperson for the company told Krebsonsecurity that Facebook is always watching out for data breaches that may impact its users and has acted similarly in response to earlier breaches.

Adobe has confirmed that 38 million active accounts were affected by the breach. However, the leaked file that Facebook and other security researchers have used to discover the passwords reportedly contained details for around 150 million accounts.

And while Adobe said it encrypted the passwords, password security experts — including Jeremy Gosney who uncovered the most popular Adobe passwords — note that Adobe should have hashed them instead. Gosney was able to use password hints listed in the leaked file to derive many of the passwords. 

Facebook hasn't officially said how it's figuring out who to message, however, Chris Long, a security incident response manager at Facebook, gave this explanation in a comment on Kreb's post: 

"We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time. Like Brian’s story indicates, we're proactive about finding sources of compromised passwords on the internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts."

Facebook confirmed to ZDNet that Long's post was accurate, but declined to make any further comment.

Further reading

Topics: Security


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.