At the Web Summit in Lisbon several days ago, Facebook's Chief Security Officer, Alex Stamos, noted that, in an effort to ensure that no compromised passwords are used on Facebook, Facebook purchases lists of stolen passwords from hackers who sell them through various dark-web marketplaces -- i.e., the black market of cyberspace. The social media provider then applies hashing (i.e., one-way encryption) to the stolen credentials in the lists that it buys, and compares the hashed text with the hashes of passwords in its own databases. (For obvious reasons, Facebook does not store passwords in clear text, so it cannot simply compare the passwords in the lists to those in its own databases - it must hash the stolen credentials first.)
Stamos explained that as a result of purchasing such lists and performing such comparisons, Facebook has been able to alert millions of users about who might otherwise have had their Facebook accounts compromised; the social media provider has encouraged such users to reset their passwords to stronger alternatives.
I will leave to lawyers the legal questions regarding purchasing stolen property - although I will note that I have consistently called for stricter application of relevant "possession of stolen property" laws from the physical world to the world of data, but, to date, that has not happened.
While some might raise ethical concerns about Facebook's actions - rewarding criminals for selling stolen passwords might incentivize such folks to commit more cyber crimes in the future - I believe that it is reasonable to argue that Facebook's actions are justified by the combination of the fact that there is sufficient incentive for criminals to commit cyber crimes even without Facebook's payments, and the fact that Facebook's purchases demonstratively reduce risks to innocent people who would otherwise almost certainly have the personal information that they keep in their Facebook accounts stolen.
Ironically, it was not that long ago that Facebook's CEO himself had some of his own semi-abandoned social media accounts breached through the use of a compromised reused password.
As such, in an article entitled, How to Be Better at Social Media Than Mark Zuckerberg, I discussed multiple steps that you can take to better protect your social media account; using a strong, easy to remember, unique password is one of them - but there is a lot more that you can do without much effort that can make the difference between your account being safe or being compromised by hackers. See the article for some important tips.
As far as Facebook buying stolen credentials, here are some others' opinions on the matter:
Kunal Anand, Co-Founder and CTO, Prevoty:
"This is a smart move and a continuation of Facebook trying to protect its users on and off the social network. Most people re-use passwords across multiple accounts and with Facebook buying stolen passwords, the social network can help reduce risk for individuals. It helps buy user trust (people will associate Facebook with being the "good person") and helps reduce customer service/security associated costs down the road."
Steve Morgan, Founder and CEO, Cybersecurity Ventures
"Theft and sales of stolen user credentials are rising sharply. Cyber flea markets offering stolen credentials make it tempting for large social media sites to practice rather concerning data practices."
John Gunn, Vice President, VASCO Data Security:
"This episode further underscores the undeniable weaknesses of 30-year password technology and the urgent need to move to multi-factor authentication which provides far great security and ease of use for consumers.
Some may argue that paying to purchase stolen passwords will only encourage more hacking attacks just as paying ransom provides incentives for additional ransomware attacks. The truth is that the attacks are going to happen regardless and the incentive for hackers already exists. Any action that enhances protection hurts criminal hackers and makes their attacks less effective."
Brad Bussie, Director of Product Management, STEALTHbits Technologies :
"Facebook is setting a good example of pro-active security vs. reactive security. While purchasing the accounts on the dark web isn't an ideal scenario as it lines the hackers pockets, the information is infinitely more valuable than the money spent.
Facebook is incredibly connected to most individuals' lives and it will take a company with that reach to begin changing users habits. Already Facebook has changed the habits of a generation. For better or worse, we are a social society that is always connected. With breaches on the rise, the user population needs to be educated on simple security measures like not using the same password on multiple sites.
Imagine the impact of a user logging into Facebook and getting an alert from Facebook security letting them know that the password they are using for Facebook, and probably other sites, has been compromised and is known. Imagine if it was then recommended to switch to a form of multi-factor authentication that could be used on more than just Facebook?
We should applaud the proactive security from thought leaders like Facebook and not focus on the negative repercussions of funding the dark web to glean its secrets. Eventually, the sale of accounts and passwords on the dark web won't mean anything because they will no longer have any value."