Has Facebook really been buying stolen passwords on dark web black markets?

Data breaches currently pose one of the biggest threats to companies. The alarming rate at which hackers have successfully targeted global tech firms to steal user data has resulted in companies scrambling to ramp-up security measures. Facebook's approach toward ensuring user-account safety goes beyond merely creating secure software. The firm has reportedly been buying up stolen user passwords being traded in online black markets.

The social media giant's novel approach is in efforts to ensure that user account safety remain unbreakable. Facebook's chief security officer Alex Stamos explained at the Web Summit in Lisbon that keeping Facebook secure and ensuring user safety are two different things.

"It turns out that we can build perfectly secure software and yet people can still get hurt," Stamos said, CNet reported. Stamos added that one of the biggest threats when dealing with user account safety comes from reused passwords. "The reuse of passwords is the No. 1 cause of harm on the internet," he stressed. It is to address this very concern in a proactive manner, which led to Facebook buying stolen black market passwords.

How does Facebook buying stolen passwords keep user accounts safe?

Facebook has been buying stolen passwords in efforts to ensure that users are not applying commonly-used passwords, such as "1234567", when logging in. According to previous breaches, such passwords have been found to be one of the most used passwords across various social network sites. Using such passwords would automatically make user accounts more vulnerable to being hacked and this is something that Facebook is particularly keen on avoiding.

Stamos disclosed that Facebook uses the stolen passwords, purchased from hackers selling them on dark web marketplaces, to cross-reference them with encrypted passwords already in use on the site. He added that despite the process being "computationally heavy", Facebook has been able to alert millions of users about resetting their vulnerable passwords to a stronger alternative, effectively ensuring users' account and data safety.

Does Facebook know your passwords? Does it store them?

In the wake of the 2013 Adobe data breach, it became apparent the Facebook's security team was mining leaked and stolen data to weed out users reusing passwords when logging into Facebook and Adobe. According to Sophos, Facebook security incident response manager Chris Long had explained at the time that the social media giant used recovered plaintext passwords and ran them through a one-way hashing code, to check users' passwords at login time.

How does this work? When users log in to Facebook, their passwords are passed through a one-way hashing function, which Facebook's security algorithm matches with the hashes it already has stored. If the two match, then the user is allowed access to his/her account. It is these hashes that are stored by Facebook and which help the firm cross-check against obtained, leaked or stolen passwords.

In other words, Facebook does not store your passwords, neither does it know them. However, reports speculate about the ethical aspects of paying cybercriminals, expressing concerns about the disturbing precedent such transactions may set.

"Usernames and passwords are an idea that came out of 1970s mainframe architectures," said Stamos. "They were not built for 2016." Despite Facebook's adoption of advanced security measures such as two-factor authentication, Stamos stressed about the necessity to adopt other solutions when ensuring user safety. "Even though we provide these options, it is our responsibility to think about those people that choose not to use them," he said.