Stolen Facebook and Yahoo passwords dumped online
- Published
More than two million stolen passwords used for sites such as Facebook, Google and Yahoo and other web services have been posted online.
The details had probably been uploaded by a criminal gang, security experts said.
It is suspected the data was taken from computers infected with malicious software that logged key presses.
It is not known how old the details are - but the experts warned that even out-dated information posed a risk.
"We don't know how many of these details still work," said security researcher Graham Cluley. "But we know that 30-40% of people use the same passwords on different websites.
"That's certainly something people shouldn't do."
Criminal botnet
The site containing the passwords was discovered by researchers working for security firm Trustwave, external.
In a blog post outlining its findings, the team said it believed the passwords had been harvested by a large botnet - dubbed Pony - that had scooped up information from thousands of infected computers worldwide.
A botnet is a network of machines controlled by criminals thanks to malicious software being installed on to computers without the owner's knowledge.
Often, criminal gangs will use botnets to steal large amounts of personal data, which can then be sold on to others or held to ransom.
In this instance, it was log-in information for popular social networks that featured most heavily.
The site - written in Russian - claimed to offer 318,121 username and password combinations for Facebook. Other services, including Google, Yahoo, Twitter and LinkedIn, all had entries in the database.
Russian-language sites VKontakte and Odnoklassniki also featured.
Chocolate teapot passwords
Trustwave said it had notified the sites and services hit prior to posting the blog entry.
Facebook highlighted that it was not at fault, and that this security risk was due to infected user machines.
"While details of this case are not yet clear, it appears that people's computers may have been attacked by hackers using malware to scrape information directly from their web browsers," a spokesman said in an email.
"People can help protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings.
"They will be notified when anyone tries to access their account from an unrecognized browser and new logins will require a unique passcode generated on their mobile phone."
The social network said all of the users found in the database had been put through a password reset process.
Analysis of the passwords by Trustwave showed a familiar picture - the most popular password, found in the database over 15,000 times, was "123456".
Such predictable combinations made passwords completely ineffective, said Mr Cluley.
"It's as much use a chocolate teapot," he said. "Absolutely useless."
- Published30 October 2013
- Published13 November 2013
- Published4 October 2013