According to researchers, scammers have scooped up more than 2 million passwords for sites like Facebook, Google, and Yahoo, but it appears that the data was stolen via malware-infected machines rather than a hack of those companies' systems.
Trustwave's SpiderLabs dug into source code from the Pony botnet, which was recently made public, and made some startling discoveries. The botnet managed to steal credentials for: 1.58 million websites; 320,000 email accounts; 41,000 FTP accounts; 3,000 remote desktops; and 3,000 secure shell accounts.
"Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions," the firm wrote in a blog post.
The presence of Russian social networks vk.com and odnoklassniki.ru on the list, meanwhile, "probably indicates that a decent portion of the victims comprised were Russian speakers," Trustwave said.
The Pony Botnet used a reverse proxy to avoid detection and continue the scam as long as possible. "Outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," Trustwave said. "While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any."
Trustwave also didn't have more details about how passwords were obtained; it's possible the malware logged keystrokes. The data did reveal, however, that many of you need to step up your password game. Almost 16,000 accounts used "123456" as their passwords, while 2,212 used "password" and 1,991 used "admin."
Overall, only 5 percent of the 2 million passwords are what Trustwave considers to be excellent - passwords that use all four character types and are longer than 8 characters. Another 17 percent are good, 44 percent are medium, 28 percent are bad, and 6 percent are terrible.
For more, check out The Sneakiest Kinds of Malware and 7 Signs You've Got Malware, as well as The Best Password Managers and Get Organized: How I Cleaned Up My Passwords in 5 Weeks.