10/20/2014

Facebook scrapes stolen passwords online and notifies its users - why not others

"Facebook is looking for your stolen passwords. On Friday, the social network announced that it built a system that will actively search sites for stolen credentials and then reference that data with its own records. "This is a completely automated process that doesn't require us to know or store your actual Facebook password in an unhashed form," Facebook security engineer Chris Long wrote in a post. "In other words, no one here has your plain text password." If there is a match, users will be notified by Facebook.
http://www.nbcnews.com/tech/security/facebook-hunting-you...

there are other volunteer and commercial services that say that they are doing the same thing but you have to trust them that they scrape everything instantly and that they don't miss out one publication on websites that are under watch (because they are on holiday for example). 

It is a system I have been trying to sell as an idea to the cert.be and to dns.be to do for the .be emailadresses and domains that were leaked, but each had doubts if it would fall within their mission (but publishing blablabla websites was no problem). It is even not that expensive and the hosting websites will even be happy because you can notify them of illegal information on their sites.

At the least I think the two big ISP's in Belgium should do it for their domainnames and dns.be for the belgian .be domainnames. That would already cover a big part of the stolen identities market.

And speed is important. One has to notify the sites, people and hosters as fast as possible after publication. This is the rat race.

Facebook has now shown that it can be done. Maybe facebook should make its code accessable to other partners (Gmail, yahoo, microsoft, aol, etc....)

 

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.