Facebook’s Password Armageddon by the Numbers

Bojan Simic, CTO HYPR

On March 21st 2019 Brian Krebs reported on Facebook’s bleak admission that the platform’s employees were free to search up to 600 million user credentials.

Let’s look at some numbers and what that means.

20,000 Employees Could Query User Passwords

Dating back to 2012, 9 million internal queries across 2,000 Facebook engineers were made to this plain-text centralized credential store. The chances of someone taking these credentials and exposing them externally are far greater than zero and we should all be concerned.

Your Facebook Password is Worth $1 on the Dark Web

According to MoneyGuru, your Facebook login password is worth about $1 on the dark web. The fact that 20,000 people at Facebook could query the password database and potentially make tens of millions of dollars with little to no effort means that your credentials probably found their way on the dark web shopping carts more than once.

Password Reuse Success Rates Are 2-4%

If we look at the worst-case scenarios and 600 million credentials have been leaked, that means up to 24 million passwords can be reused against banking, insurance, retail, and even critical infrastructure because people use the same password for everything.

The scariest part of this is that if you’re a bank, your users’ passwords include many that are the same or a slight variation of their password Facebook password. So even if your security is stellar, your risk profile just skyrocketed!

Facebook’s MFA Adoption is ‘Probably’ 10% or Less

In 2018, Google revealed that less than 10% of their users have enabled multi-factor authentication (MFA). The number is frankly impressive considering that it’s opt-in and by comparison Google is fairly adamant about users leveraging the capability. While Facebook’s MFA statistics on adoption are not public, they are most likely lower than that of Gmail. So if we’re optimistic about Facebook, support for MFA for users won’t put much of a dent in the fraud fallout stemming from this password vulnerability.

What Should Facebook Do?

Facebook struggles with the same challenges most companies do today, the reliance on shared secrets as the foundation of user authentication. Currently, companies have a centralized credential store where they have everyone’s password or OTP secrets in one location. This one location is hackers’ favorite target and Facebook made it uncommonly accessible to potential internal malicious actors.

The solution is to eliminate the password — and the shared secret model of user authentication entirely — by decentralizing credentials safely onto user devices. Users would have control over their privacy, Facebook would not have the burden of storing all user credentials, and both parties would not face the risk of a mass breach or credential reuse that follows one.

The good news is that Facebook has made indications to move to a more secure authentication system by joining the FIDO Alliance. However, it is still not the primary method of authenticating to Facebook and the user still has to rely on passwords.

– Bojan Simic, HYPR CTO