Facebook resets user passwords after Adobe hack
Facebook has trawled the millions of login credentials leaked in the recent Adobe breach – and anyone who uses the same password across both sites will have to choose a new one.
Although the Adobe breach doesn’t affect Facebook directly, the company compared the leaked passwords with those stored on its own systems, and found many users rely on the same credentials for both sites.
“Recently there was a security incident on another website unrelated to Facebook,” said the company in a notice to affected users. “Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.”
As noted by security analyst Brian Krebs, Facebook is hiding affected accounts from public view until their owners answer some security questions and change their passwords.
Facebook hasn’t said how many of its users share the same credentials.
But a security researcher for the company, Chris Long, said this wasn’t the first time Facebook had taken steps to protect users after an unrelated breach.
“We used the plaintext passwords that had already been worked out by researchers,” said Long, commenting on Krebs’ site. “We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.”
“Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts,” he added.
Facebook’s move comes after Adobe admitted attackers had stolen millions of user passwords.
Most recently, it said hackers had accessed more than 38 million active user records. That’s on top of stolen information on almost three million accounts, disclosed around a month earlier.
But separate research indicates the final tally is actually much higher. LastPass reported last week that it had found 152 million Adobe user credentials leaked online.
And another researcher, Stricture Group’s Jeremi Gosni, pointed out last week that many Adobe users had used weak combinations such as “12345”.