I work at Facebook on the security team that helped protect the accounts affected by the Adobe breach. We checked the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time. I posted a comment to the same effect on the Krebs article earlier today.<p>We try to be proactive about finding sources of compromised passwords on the Internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts.
A couple weeks ago after we noticed an email/password check bot running against our service. It was going through the list of emails from the Adobe (we didn't decrypt passwords though, just emails match). The bot itself was blocked by our system but we emailed our users that had their email/password tested. The funny part is that the bot had a bug: it followed the returned 302 redirect. Since it was coming from China's IPs, we started to reply with redirects to www.gov.cn and the bot stopped in about an hour after that. Obviously, someone got a visit from China's KGB :) :) :)
My first reaction was "Hey, that's a great idea, it will probably protect a bunch of people."<p>My second reaction was to wonder if this sets a precedent for Facebook that may bite them in the ass in the future. Are they going to do this for every major data-breach that occurs? Furthermore, is it even legal for their team to be in possession of that "publicly available" list of Adobe user passwords? A lot of stuff is available on the Web, but that doesn't mean it's all legal to possess.
Explain xkcd has a good writeup on how to recover some of the user passwords given the the encrypted password db, for those curious:<p><a href="http://www.explainxkcd.com/wiki/index.php?title=1286:_Encryptic" rel="nofollow">http://www.explainxkcd.com/wiki/index.php?title=1286:_Encryp...</a>
Facebook just took the known emails/passwords from Adobe and ran them through their own password encryption routine and checked for a match. For matches they reset the passwords on the FB accounts.