The data obtained from cyberattacks is often listed for sale on Darknet marketplaces for cybercriminals to purchase, yet who actually buys these data?
Passwords are bought by cybercriminals to gain access to users’ online accounts for a wide variety of nefarious activities, but it is not only criminals that are interested in these data. It has recently emerged that Facebook also buys stolen passwords.
Facebook CSO Alex Stamos revealed last week that the social media giant buys stolen passwords on the black market and uses them to better protect users’ accounts.
Facebook can use the stolen passwords and their associated email addresses to scan its users’ accounts to check for a match. If password recycling is discovered, Facebook can then force users to reset the passwords on their Facebook accounts to ensure they do not get hacked.
If Facebook accounts are hacked, cybercriminals gain access to a huge amount of personal data. Data that could be used for phishing attacks or attacks on victims’ contacts. The hacking of Facebook accounts could result in bad publicity for the social media giant, which would likely affect revenues. From Facebook’s perspective, the purchasing of stolen data makes a great deal of sense.
Any action that prevents the hacking of Facebook accounts is a good thing, but not everyone agrees. The practice has raised concerns among security experts, many of whom do not believe Facebook’s actions are entirely ethical, even if the data that are purchased are used to better protect users’ accounts.
By purchasing stolen data, Facebook is giving money to cybercriminals which is encouraging cybercriminal activity. The money Facebook spends could be, and most probably is, used to fund future cyberattacks.
On the other hand, some security experts argue that Facebook is simply being proactive and is ensuring that users are better protected. In the grand scheme of things, one more buyer for any set of stolen data is unlikely to make much of a difference. However, if other companies were to adopt a similar practice, it could fuel the market for stolen data.
It could be argued that Facebook’s actions are helping to educate users about the danger of recycling passwords and Facebook’s actions ultimately hurts hackers. If users become better at protecting their online accounts, it makes it much harder for hackers to conduct attacks.
But could Facebook obtain the data by more ethical means, such as searching for data dumps? That is certainly possible, but the process is more time consuming and requires more resources. Purchasing data is more efficient and enables Facebook to obtain data far more quickly, which means users’ accounts can be protected faster…before cybercriminals can take advantage.