Stolen Facebook and Yahoo passwords dumped online

Person typing computer code The database included details from many of the most popular social networks

Related Stories

More than two million stolen passwords used for sites such as Facebook, Google and Yahoo and other web services have been posted online.

The details had probably been uploaded by a criminal gang, security experts said.

It is suspected the data was taken from computers infected with malicious software that logged key presses.

It is not known how old the details are - but the experts warned that even out-dated information posed a risk.

"We don't know how many of these details still work," said security researcher Graham Cluley. "But we know that 30-40% of people use the same passwords on different websites.

"That's certainly something people shouldn't do."

Criminal botnet

The site containing the passwords was discovered by researchers working for security firm Trustwave.

In a blog post outlining its findings, the team said it believed the passwords had been harvested by a large botnet - dubbed Pony - that had scooped up information from thousands of infected computers worldwide.

Trustwave graph Data on the site showed how many new details were being scraped from users every day

A botnet is a network of machines controlled by criminals thanks to malicious software being installed on to computers without the owner's knowledge.

Often, criminal gangs will use botnets to steal large amounts of personal data, which can then be sold on to others or held to ransom.

In this instance, it was log-in information for popular social networks that featured most heavily.

The site - written in Russian - claimed to offer 318,121 username and password combinations for Facebook. Other services, including Google, Yahoo, Twitter and LinkedIn, all had entries in the database.

Russian-language sites VKontakte and Odnoklassniki also featured.

Chocolate teapot passwords

Trustwave said it had notified the sites and services hit prior to posting the blog entry.

Facebook highlighted that it was not at fault, and that this security risk was due to infected user machines.

"While details of this case are not yet clear, it appears that people's computers may have been attacked by hackers using malware to scrape information directly from their web browsers," a spokesman said in an email.

Hi-tech crime terms

  • Bot - one of the individual computers in a botnet; bots are also called drones or zombies
  • Botnet - a network of hijacked home computers, typically controlled by a criminal gang
  • Malware - an abbreviation for malicious software ie a virus, trojan or worm that infects a PC
  • DDoS (Distributed Denial of Service) - an attack that knocks out a computer by overwhelming it with data; thousands of PCs can take part, hence the "distributed"
  • Drive-by download - a virus or trojan that starts to install as soon as a user visits a particular website
  • IP address - the numerical identifier every machine connected to the net needs to ensure data goes to the right place

"People can help protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings.

"They will be notified when anyone tries to access their account from an unrecognized browser and new logins will require a unique passcode generated on their mobile phone."

The social network said all of the users found in the database had been put through a password reset process.

Analysis of the passwords by Trustwave showed a familiar picture - the most popular password, found in the database over 15,000 times, was "123456".

Such predictable combinations made passwords completely ineffective, said Mr Cluley.

"It's as much use a chocolate teapot," he said. "Absolutely useless."

More on This Story

Related Stories

More Technology stories

RSS

Features

  • OrangemanPunctured pride?

    How would N Ireland's Orangemen feel if Scotland left the union?


  • Sheep on Achill IslandMass exodus

    Why hundreds of thousands of people have left Ireland


  • MarchionessThames tragedy

    Survivors and victims' families remember Marchioness disaster


  • A teenaged mother in the Zaatari campUntold misery

    The plight of Syria's refugee child brides


  • Michael MosleyMeat feast?

    Which is the best eco option - eating beef, chicken or mussels?


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.