More than two million stolen passwords for social networking sites such as Facebook, Google and Yahoo have been posted online, according to researchers from an internet security firm. It appears that they weren’t actually stolen through a hack of those companies’ systems, instead, via malware-infected machines.
Trustwave, the internet security firm published a blog post called “Look What I found”, detailing their findings, which includes more than two million login credentials taken from the Pony Botnet Controller. The post by the firm’s researcher Daniel Chechik, also sports graphics that quantify how many credentials were actually exposed to the public.
The malicious botnet managed to steal credentials for: 318,121 Facebook passwords; 59,549 Yahoo logins, and 54,457 Google accounts. As well as this, passwords for: Twitter (21,708) and LinkedIn (8,490 were also stolen.
“You can also spot the notable presence of vk.com and odnoklassniki.ru, two social network websites aimed at Russian-speaking audiences, which probably indicates that a decent portion of the victims comprised [sic] were Russian speakers. Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions,” the blog post said.
Botnets are usually used by criminal gangs to access and steal large amounts of personal data, allowing them to make a profit through selling them. In this case, the passwords and login credentials were revealed by computers running the software, just like I mentioned upon starting this article – and it happened without the user’s attention.
Unfortunately, though, it is currently unclear what sort of malware actually infected victims’ computers to be able to have sent user information to the command-and-control server. However, the source for the actual control panel, called “Pony”, would have been leaked at some point – but there’s no evidence at this moment in time to suggest when it actually happened.
Before posting the blog post, Trustwave said that it had notified all parties who had fallen victim to the hack. Facebook, in response to this, told the BBC: “People can help protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings.”
“They will be notified when anyone tries to access their account from an unrecognized browser and new logins will require a unique passcode generated on their mobile phone,” added Facebook.
Sadly, the internet is a dangerous place, and it seems that it always will be. But in saying that, it’s something that most of the population now use, which means that there should be ways to protect the personal information such as passwords. Maybe something more protective and reliable will come in force someday.