Inside Facebook security: defending users from spammers, hackers, and 'likejackers'

If Facebook were a country, it would be the third largest in the world, just behind India and China. And like any country, Facebook has a police force to keep things under control. 300 people have been entrusted with the responsibility of keeping a 900-million-person virtual society from itself and from external forces. How do you look after people who use the same username and password on every website and get "hacked"? What about "likejackers" determined to make people spam themselves over and over again?

What do you do when Facebook users keep clicking on tantalizing links like "WATCH: Justin Bieber stabbed by lunatic fan"? Facebook's deal with the world's biggest anti-virus companies to include their blacklists in Facebook's URL-scanning database got us thinking about other things the company does behind the scenes to keep its users safe, because a hacked, spammed, and depressed user isn't coming back for more. "Creating friction is the key to making users aware of what they're actually doing," Facebook Security and Safety team member Fred Wolens said, because a vast majority percent of "hacked" Facebook accounts don't get hacked on Facebook. 

Facebook starts by scanning the usual suspects of PasteBin-esque websites weekly to check for hackers dumping thousands of usernames and passwords. Facebook cross references credential dumps with its entire database of user credentials, then alerts any users that match to change their passwords. By signing up for Facebook, you've inadvertently entered yourself into its witness protection program, of sorts. During events like the Gawker credentials leak or Playstation Network security breach last year, Facebook alerted users if their passwords were on the loose. "We keep our ear close to the ground," Wolens told us.