2 million Facebook, Google, Twitter and Yahoo passwords stolen

05 Dec 2013

Security experts have uncovered a trove of around 2 million stolen passwords to websites including Facebook, Google, Twitter and Yahoo from internet users across the globe, Reuters reports.

According to researchers with Trustwave's SpiderLabs, they discovered the credentials while investigating a server in the Netherlands that was used by cyber criminals to control a massive network of compromised computers known as the ''Pony botnet.''

The company told Reuters yesterday it had reported its findings to the largest of more than 90,000 websites and internet service providers whose customers' credentials it had found on the server.

Included in the data are over 326,000 Facebook accounts, over 60,000 Google  accounts and over 59,000 Yahoo accounts in addition to nearly 22,000 Twitter  accounts, it said.

Victims included users in US, Germany, Singapore and Thailand, among other countries. According to representatives for Facebook and Twitter, the companies had reset the passwords of affected users.

SpiderLabs added it had contacted authorities in the Netherlands and asked them to take down the Pony botnet server.

According to an analysis posted on the SpiderLabs blog the most-common password in the set was ''123456,'' which was used in nearly 16,000 accounts with other common credentials being ''password,'' ''admin,'' ''123? and ''1.''

Meanwhile, according to BBC, which quoted security experts, the details had probably been uploaded by a criminal gang and the data had probably been taken from computers infected with malicious software that logged key presses.

Though it was not known how old the details were, according to experts, even out-dated information posed a risk.

According to security researchers Graham Cluley, though it was not known how many of the details still worked, it was known that 30 to 40 per cent of people used the same passwords on different sites. He said that was something people should not do.

Trustwave, which said it believed the passwords had been harvested by a large botnet - dubbed Pony - which had scooped up information from thousands of infected computers worldwide.

According to Trustwave, graph, data on the site showed how many new details were being scraped from users every day.

A botnet comprises a network of machines controlled by criminals who install malicious on to computers without the owner's knowledge.

Often, criminal gangs use botnets to steal large amounts of personal data, which can then be sold on to others or held to ransom.