Facebook has concealed the profiles of anyone on the social network who used the same email and password combination as those exposed after the recent Adobe hack — at least until they change their passwords.
The Adobe hack, revealed in October, and the subsequent leak of a file containing over 100 million encrypted usernames and passwords of Adobe account holders could be the best illustration of the number one rule of good password security: pick different passwords for different accounts.
To keep things simple, users not only pick easy-to-guess passwords, but they often use the same passwords for multiple online accounts. The problem with that is, if hackers nab a password for one service, they can typically use it to enter another.
As reported on Krebsonsecurity.com, Facebook's security team is currently mining the data leaked from the Adobe breach to find its users who relied on the same email and password combination to login to both Facebook and Adobe.
Thanks to the team's efforts, some of its users are receiving this message: "Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places."
They'll then be asked to answer a few security questions and then change their password. The message notes that for their safety, "no one can see you on Facebook until you finish".
A spokesperson for the company told Krebsonsecurity that Facebook is always watching out for data breaches that may impact its users and has acted similarly in response to earlier breaches.
Adobe has confirmed that 38 million active accounts were affected by the breach. However, the leaked file that Facebook and other security researchers have used to discover the passwords reportedly contained details for around 150 million accounts.
And while Adobe said it encrypted the passwords, password security experts — including Jeremy Gosney who uncovered the most popular Adobe passwords — note that Adobe should have hashed them instead. Gosney was able to use password hints listed in the leaked file to derive many of the passwords.
Facebook hasn't officially said how it's figuring out who to message, however, Chris Long, a security incident response manager at Facebook, gave this explanation in a comment on Kreb's post:
"We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time. Like Brian’s story indicates, we're proactive about finding sources of compromised passwords on the internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts."
Facebook confirmed to ZDNet that Long's post was accurate, but declined to make any further comment.