Facebook is identifying users compromised by the recent theft of Adobe user credentials by asking them to answer security questions before granting them access.
Like online retailers Diapers.com and Soap.com, Facebook is trying to protect members who used the same email and password combinations for Adobe from abuse of their accounts.
Affected members are notified that their accounts could be accessed by unauthorised users as a result of the Adobe breach.
"Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places," the notice states.
"To secure your account, you'll need to answer a few questions and change your password. For your protection, no-one can see you on Facebook until you finish."
However, the latest estimates put the number of leaked credentials at over 150 million, according to Neowin.net.
Read more about authentication
- IT industry group releases password-killing standard
- Password-based authentication: A weak link in cloud authentication
- Biometrics key to frictionless authentication, says BioCatch
- Alternative authentication: New authentication methods for enterprises
- Risk-based authentication (RBA)
- Multifactor authentication (MFA)
- Best of authentication 2012
- Master VMware identity authentication strategies
- Biometric authentication methods: Comparing smartphone biometrics
- Situational Awareness Meets Strong Authentication
Adobe has welcomed the initiative by Facebook and other services to reset user passwords as a precaution, but said there is no evidence of unauthorised activity related to the accounts involved.
According to Krebs, Adobe encrypted all passwords with a single key which, brute forced or stolen, meant all passwords could be unlocked.
Facebook told the BBC it has an automated process designed to protect leaked credentials.
The increasing number of breaches at online service providers once again highlights the security weaknesses of access based only on username and password.
Privacy concerns by users are likely to accelerate the development and adoption of additional or alternative authentication methods.
In February, a consortium of IT companies – including PayPal and Lenovo – published a set of new technology standards that could rid users of usernames and passwords.
The Fido (Fast IDentity Online) Alliance hopes to revolutionise online authentication with an industry-supported standards-based open protocol that will address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords.
The protocol is aimed at making online accounts more secure by eliminating password theft and re-use, and giving PCs and mobile devices a bigger role in authentication.
The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and difficult to remember.
“Authentication is a key part of security, and with technology shifts we have an opportunity to redefine it so that it is easy to use and is more secure,” Upadhyay told the ISSE 2013 security conference in Brussels.
Google plans to introduce a single USB token that can be used to authenticate to multiple online services, eliminating the need for one-time passcode (OTP) mechanisms, the need to store secrets in the datacentre and the possibility of man-in-the-middle [MITM) attacks.