Last week, Facebook CSO Alex Stamos told conference attendees in Lisbon that the company buys stolen passwords on the black market, and some security experts are questioning the ethics and benefits of this approach.
“Paying for stolen passwords only reinforces the criminal business model and further encourages hackers to steal passwords," said Amichai Shulman, founder and CTO at Redwood Shores, Calif.-based security vendor Imperva, Inc.
Paying off hackers has other consequences as well.
"You don't know where that money's going to go," said Javvad Malik, security advocate at San Mateo, Calif.-based AlienVault, Inc.. "That money is likely to go towards funding more criminal activity."
And buying the stolen passwords won't take them off the market, he added.
"There's nothing stopping them from reselling them," he said. "You're just buying a copy."
There are other options, he added, such as looking for data dumps where hackers post stolen information.
"Trolling the underground forums is more labor intensive, but I think that kind of approach is more sound, ethically," he said. "As a matter of principle, I'm not in favor of paying criminals if it can be avoided."
Hundreds of millions of credentials have already been leaked online in the last few years, said Luis Corrons, Technical Director at Spain-based Panda Security.
"Cross-referencing those ones should help a lot, without giving money to criminals," he said.
However, the fact that the hackers have one buyer more or less won't make a big difference, said John Gunn, spokesman at Oakbrook Terrace, Ill.-based VASCO Data Security.
"The truth is that the attacks are going to happen regardless and the incentive for hackers already exists," he said.
Plus, knowing which accounts have been compromise can help Facebook defend them better.
"Any action that enhances protection hurts criminal hackers and makes their attacks less effective," Gunn said.
Facebook's approach makes practical sense, said Brad Bussie, director of product management at Hawthorne, N.J.-based STEALTHbits Technologies, Inc., and by going out and buying stolen passwords, Facebook is being proactive, instead of reactive.
"While purchasing the accounts on the dark web isn't an ideal scenario as it lines the hackers pockets, the information is infinitely more valuable than the money spent," he said. "We should applaud the proactive security from thought leaders like Facebook and not focus on the negative repercussions of funding the dark web to glean its secrets."
What's more important is that companies like Facebook, which have a big impact, are helping educate users about not reusing passwords and teaching them to use multi-factor authentication, he added.
"Eventually, the sale of accounts and passwords on the dark web won’t mean anything because they will no longer have any value," he said. "We should applaud the proactive security from thought leaders like Facebook and not focus on the negative repercussions of funding the dark web."
Facebook could be investing the money into beefing up their security instead, said Jonathan Sander, VP of product strategy at Los Angeles-based Lieberman Software Corp., but there is only so much a company can do to force better security habits on their users.
Buying stolen passwords is a creative way to help address that problem, he said.
"“Ethics often are governed by the question of intentions," he added. "The intentions of Facebook and others buying these passwords are good, to be sure. Of course, it does fund the bad guys. The real question is if using the fruits of their labor to fight their future success balances the ethical scales.”
With Facebook in particular, given its high user base, there's an extra factor to consider, said Juliette Rizkallah, CMO at Austin-based SailPoint Technologies, Inc. With so many people having Facebook accounts, and reusing the same passwords on multiple sites, breaches can have domino effects across multiple organizations.
"Ultimately, this is a smart and creative move by Facebook," she said. "Facebook -- and other social networks -- have a big responsibility on their shoulders in keeping so many user credentials safe."