Two million Facebook and Yahoo passwords appear online

Malware

by Ben Sullivan| 05 December 2013

Data was taken from computers infected with malicious software.

More than two million passwords belonging to Google, Facebook and Yahoo accounts have been posted online by a criminal gang.

It is believed the data was attained by key stroke logging malware infecting computers across the world.

It is not yet known hold old the data is, but experts have warned that it could still pose a risk as many people don't update their passwords often enough.

Security expert Graham Cluley said on his website: "What's happened here is clear. Innocent users' computers have become infected with malware, which grabbed login details as they were entered by users. This data was then transmitted to the cybercriminals - either so they could access the accounts themselves or (more likely) sell on the details to other online criminals.

The site containing the passwords was discovered by researchers at Trustwave.

In a blog post outlining its findings, the team said it believed the passwords had been collected by a large botnet, that's been dubbed Pony, that had scooped up information from thousands of infected computers worldwide.

Brian Spector, CEO of CertiVox, said: "The news that over two million stolen passwords for some of the biggest online services in the world yet again goes to show the inherent vulnerability faced by organisations through the username and password system. If customers haven't changed their passwords, they could well see their accounts taken over with all manner of potential damage caused.

"This is obviously not an isolated incident and with the sheer scale of the information available, it is high time that organisations everywhere took a second look at the security methods that they employ - what is proven time and again is that username and password security systems are inherently weak, offering a wide range of attack vectors to criminals, along with a valuable harvest of private customer information.

"The fact that many users tend to use the same password across multiple online accounts also means that their accounts for other online services could be under threat, not just the ones details have been leaked for. This, coupled with the inherent problems with storing such complete information on one server really adds to the argument that it is time for companies to move beyond username and passwords and find a more secure method."

123456 was the most popular password, being used on 15,820 of the accounts. In second place came 123456789, which was used as a password on 4875 accounts.

These passwords show the same ineffectiveness as those that were revealed by the Adobe hack recently, and the news comes as Ransomware viruses are also on the rise.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

716 people like this.
1564 people follow this.

Malware Intelligence

Buy the latest industry research online today!
See more
Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.