F5 Blackfish Privacy Statement

Published on: 1 July 2020


F5’s Blackfish service (the “Service”) helps customers recognize when an attempt to login to their online property has been made with a username/password pair that matches one that was stolen from an unrelated third-party property. The customer can decide how to act on this information, such as by requiring the purported user to reset their password, or requiring additional authentication from the purported user before completing a high-risk action like a gift card purchase or funds transfer. This Privacy Statement applies to the data that the Service uses.

Roles of the Parties

Under the data protection laws of the EU and similar jurisdictions, F5 is a processor of the query data that the Service receives from F5’s customer, and the customer is (or acts on behalf of) a controller of such data, to the extent it contains personal data. 

The Service is powered by a proprietary corpus of hashed username/password pairs known to be compromised. To the extent this corpus constitutes personal data, F5 is its controller. The information in this corpus is sourced primarily from (i) lists of stolen username/password pairs seen on the dark web and (ii) contributions from customers or security researchers that authorize F5 to use username/password hashes for the collective defense.

Personal Data Collection and Processing by the Service

The Service is available in several deployment models and numerous data configurations. Generally, however, the Service will receive as a query either (i) a username and a hashed password, (ii) a hash of both, or (iii) a hash of a string that includes both.  The Service will then provide the customer with an indication of whether the username/password pair is known to be compromised (i.e., whether the username/password pair is reflected in the Blackfish corpus). In some iterations of the Service, the customer and F5 use advanced security measures to acheive the same outcome while avoiding disclosure of passwords or hashed passwords.

What to Do If Your Access to an Online Property Has Been Blocked

If you believe that the Service has improperly blocked or restricted your access to an F5 customer’s online property, please contact that customer to request restoration of your access.

More Information

To exercise your rights with respect to the query data that F5 processes when providing the Service to a customer, please contact that customer. To exercise your rights with respect to other data, you may contact F5. For more information about F5’s privacy practices, please see the F5 Privacy Notice.