When a data controller embarks on a great initiative, they should be congratulated. Even Facebook. So today I’m glad to acknowledge the sterling work that has been going on behind the scenes to check whether passwords associated with Facebook accounts have been misappropriated.
Facebook monitor a selection of different 'paste' sites for stolen credentials and watch for reports of large scale data breaches. They collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook. This is a completely automated process that doesn't require them to know or store actual Facebook password in a plain text, or unhashed form.
To check for matches, Facebook take the email address and password and run them through the same code that is used to check user passwords at login time. If they find a match, they'll notify the Facebook account holder the next time they log in, and guide them through a process to change the password.
Isn’t this a great idea?
And a sign of a responsible data controller acting in the best interests of their customers?
So, Facebook, just in case no one else bothers to say it, please accept my thanks, at least, for providing such a useful service.