Facebook adds security test for Adobe hacking victims

Facebook identifies users compromised by the theft of Adobe credentials with security questions before granting them access

Facebook is identifying users compromised by the recent theft of Adobe user credentials by asking them to answer security questions before granting them access.

Like online retailers Diapers.com and Soap.com, Facebook is trying to protect members who used the same email and password combinations for Adobe from abuse of their accounts.

Affected members are notified that their accounts could be accessed by unauthorised users as a result of the Adobe breach.

"Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places," the notice states.

"To secure your account, you'll need to answer a few questions and change your password. For your protection, no-one can see you on Facebook until you finish."

Adobe attack

In October 2013, Adobe confirmed a cyber attack compromised around 38 million active accounts, more than ten times the number of accounts initially reported.

However, the latest estimates put the number of leaked credentials at over 150 million, according to Neowin.net.

Adobe has welcomed the initiative by Facebook and other services to reset user passwords as a precaution, but said there is no evidence of unauthorised activity related to the accounts involved.

Investigative reporter Brian Krebs first reported Facebook's protective steps in a blog post and have since been confirmed by the BBC.

According to Krebs, Adobe encrypted all passwords with a single key which, brute forced or stolen, meant all passwords could be unlocked.

Evolving authentication

Facebook told the BBC it has an automated process designed to protect leaked credentials.

The increasing number of breaches at online service providers once again highlights the security weaknesses of access based only on username and password.

Privacy concerns by users are likely to accelerate the development and adoption of additional or alternative authentication methods.

In February, a consortium of IT companies – including PayPal and Lenovo – published a set of new technology standards that could rid users of usernames and passwords.

The Fido (Fast IDentity Online) Alliance hopes to revolutionise online authentication with an industry-supported standards-based open protocol that will address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords.

The protocol is aimed at making online accounts more secure by eliminating password theft and re-use, and giving PCs and mobile devices a bigger role in authentication.

In October 2013, Google’s principal engineer Mayank Upadhyay confirmed the company is planning a two-factor authentication token.

The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and difficult to remember.

“Authentication is a key part of security, and with technology shifts we have an opportunity to redefine it so that it is easy to use and is more secure,” Upadhyay told the ISSE 2013 security conference in Brussels.

Google plans to introduce a single USB token that can be used to authenticate to multiple online services, eliminating the need for one-time passcode (OTP) mechanisms, the need to store secrets in the datacentre and the possibility of man-in-the-middle [MITM) attacks.

Read more on Privacy and data protection