Stolen Facebook and Yahoo passwords dumped online
More than two million stolen passwords used for sites such as Facebook, Google and Yahoo and other web services have been posted online.
The details had probably been uploaded by a criminal gang, security experts said.
It is suspected the data was taken from computers infected with malicious software that logged key presses.
It is not known how old the details are - but the experts warned that even out-dated information posed a risk.
"We don't know how many of these details still work," said security researcher Graham Cluley. "But we know that 30-40% of people use the same passwords on different websites.
"That's certainly something people shouldn't do."Criminal botnet
The site containing the passwords was discovered by researchers working for security firm Trustwave.
In a blog post outlining its findings, the team said it believed the passwords had been harvested by a large botnet - dubbed Pony - that had scooped up information from thousands of infected computers worldwide.
A botnet is a network of machines controlled by criminals thanks to malicious software being installed on to computers without the owner's knowledge.
Often, criminal gangs will use botnets to steal large amounts of personal data, which can then be sold on to others or held to ransom.
In this instance, it was log-in information for popular social networks that featured most heavily.
The site - written in Russian - claimed to offer 318,121 username and password combinations for Facebook. Other services, including Google, Yahoo, Twitter and LinkedIn, all had entries in the database.
Russian-language sites VKontakte and Odnoklassniki also featured.Chocolate teapot passwords
Trustwave said it had notified the sites and services hit prior to posting the blog entry.
Facebook highlighted that it was not at fault, and that this security risk was due to infected user machines.
"While details of this case are not yet clear, it appears that people's computers may have been attacked by hackers using malware to scrape information directly from their web browsers," a spokesman said in an email.
Hi-tech crime terms
- Bot - one of the individual computers in a botnet; bots are also called drones or zombies
- Botnet - a network of hijacked home computers, typically controlled by a criminal gang
- Malware - an abbreviation for malicious software ie a virus, trojan or worm that infects a PC
- DDoS (Distributed Denial of Service) - an attack that knocks out a computer by overwhelming it with data; thousands of PCs can take part, hence the "distributed"
- Drive-by download - a virus or trojan that starts to install as soon as a user visits a particular website
- IP address - the numerical identifier every machine connected to the net needs to ensure data goes to the right place
"People can help protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings.
"They will be notified when anyone tries to access their account from an unrecognized browser and new logins will require a unique passcode generated on their mobile phone."
The social network said all of the users found in the database had been put through a password reset process.
Analysis of the passwords by Trustwave showed a familiar picture - the most popular password, found in the database over 15,000 times, was "123456".
Such predictable combinations made passwords completely ineffective, said Mr Cluley.
"It's as much use a chocolate teapot," he said. "Absolutely useless."