With vast swathes of data being sold on the dark web in
recent weeks following high-profile
breaches, many sites are encouraging users
to change their passwords, even if they weren't directly affected.
Facebook and Netflix appear to be taking this a step further
with reports a number of users are being forced to update their credentials.
According to security researcher Graham Cruelly, Facebook
users are being shown a warning message that reads: "Recently, there was a
security incident on another website unrelated to Facebook. Facebook was not
directly affected by the incident but your Facebook account is at risk because
you were using the same password in both places."
It then goes on to say that to secure their account, the
user will need to answer security questions and change their password. It also
adds: "For your protection, no one can see you on Facebook until you
finish."
By comparison, Netflix is emailing members claiming:
"We believe that your Netflix account credentials may have been included
in a recent release of email addresses and passwords from an older breach at
another company. Just to be safe, we’ve reset your password as a precautionary
measure."
Neither Facebook, nor Netflix, are saying they have been
hacked or suffered data breaches and the other website referred to is likely to
be LinkedIn.
In 2012, a rumoured 167 million account details were stolen
from LinkedIn. Initially the data was being sold on the dark web for five
bitcoin, this amounts to around $2,200 (£1,500). It has since dropped in price
and is at around half of this value.
Facebook and Netflix are being cautious because many people
- including Facebook's own Mark Zuckerberg it transpired earlier this week -
use the same passwords on multiple accounts.
Security blogger Brian Krebs was sent one of the Netflix
emails, and he said he believes more sites may follow suit in the coming weeks.
Experts are advising people change their passwords on their
accounts, or make each password unique, to protect themselves. They should also
enable two-factor authentication where available.