Security researchers at Trustwave have uncovered a stash of almost two million usernames and passwords, stolen by cybercriminals from users of Facebook, Twitter, Google, Yahoo, LinkedIn and many other sites.
The researchers managed to gain access to a server controlling an instance of the malicious Pony botnet, and were able to access the administrator’s dashboard giving detailed statistics of the number of login credentials stolen from malware-infected computers.
According to a blog post published by Trustwave, the statistics for the types of login credentials contained within the criminal database broke down as follows:
- Approx 1,580,000 website login credentials stolen
- Approx 320,000 email account credentials stolen
- Approx 41,000 FTP account credentials stolen
- Approx 3,000 Remote Desktop credentials stolen
- Approx 3,000 Secure Shell account credentials stolen
What’s happened here is clear. Innocent users’ computers have become infected with malware, which grabbed login details as they were entered by users. This data was then transmitted to the cybercriminals - either so they could access the accounts themselves or (more likely) sell on the details to other online criminals.
And the consequences of such a security breach happening on your computer are clear, as the following list of domains most commonly found in the haul shows.
It’s no surprise to see the likes of Facebook, Yahoo and Google rank so highly as they are immensely popular. If you were one of the people unlucky enough to have been caught by this malware, criminals could now be accessing your webmail and social networking accounts - perhaps without you realising.
Such services can warn you if your account is accessed in an unexpected way (such as from a computer you have not used before), and force you to authorise the login via a second device (such as your mobile phone).
But it’s not just social networking passwords and webmail login details that the cybercriminals appear to have stolen. For instance, in a surprisingly high ninth place in the list is payroll service provider ADP, which could potentially result in financial repercussions for companies concerned.
A list of the top 10 passwords found in the stash reveals a worryingly predictable story of the extremely poor choices made by users:
Pretty pathetic, isn’t it?
Once again, and I’m sorry if I’m beginning to repeat myself but clearly people aren’t getting the message, there are some important lessons here.
Choose better passwords. Many of the passwords revealed in the haul are clearly rubbish. They’re too easy to guess, and not difficult for hackers to crack. Use a password management software like Bitwarden, 1Password, and KeePass to generate more complex passwords in future.
Stop using the same passwords. A worrying number of people use the same passwords for multiple websites. Stop doing that right now. It doesn’t look like this particular haul of passwords came about as a website hack, but remember that if you use the same password on more than one website it only requires one of them to suffer a security breach for lots of your accounts to be compromised. Again, password management software can remember lots of different passwords for you, so you don’t have to.
Keep your security up-to-date. These credentials managed to be stolen because computers were not properly protected. Updated anti-virus software and the latest security patches are essential, as is being careful about what software you install and being wary of clicking on unsolicited links.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.
Learn more about this latest discovery in Trustwave’s blog post.