Nearly 2 million passwords have been stolen and posted online for websites including Facebook, Google, Yahoo, LinkedIn, Twitter and payroll giant ADP, according to researchers working for the Trustwave security firm.
The massive hack is the latest incident in a string of account login thefts using a Pony botnet controller, a malware program that makes infected computers submit various forms of information over the Internet unbeknownst to the user.
The hack comes after Adobe was hit with a sustained attack in October that left hackers with sensitive information for nearly 3 million Adobe customers. Hackers also hit LexisNexis in September.
On its blog, Trustwave breaks down the stolen information as follows:
1,580,000 website login credentials
320,000 email account credentials
41,000 FTP account credentials
3,000 remote desktop credentials
2,000 secure shell account credentials
In a statement to Al Jazeera, Twitter spokesperson Jim Prosser said the company was in touch with Trustwave about the compromised accounts and has already reset the passwords for affected users. Facebook says it has taken similar measures and encouraged users to activate the social network's "login approvals" and "login notifications" features.
ADP posted a statement on its website saying the company "has been made aware of a phishing campaign," and that it has "no reason to believe" the campaign was specifically targeted at ADP or its clients.
LinkedIn has also reset passwords for those affected and pointed out that it offers free 90-day trials of malware protection software in its "safety center."
Google declined to comment. Yahoo did not respond to emails or phone calls.
Trustwave said that most of the compromised passwords were weak to begin with. The most popular stolen password was "123456," followed closely by "123456789," "1234" and "password."
Based on geo-location statistics Trustwave found, it appears that most affected users were in the Netherlands. But a closer look reveals the more likely scenario: a single Netherlands IP address was used as a "reverse proxy" between the infected computers and the server, a technique commonly used to prevent the server from being found and disabled.
With a reverse proxy, outgoing traffic from the server shows a connection not to the actual server but only to the proxy, which is easily replaceable if discovered.
Several of the affected sites — Facebook, Twitter and Google, for example — have two-factor authentication, which requires your mobile phone password and your regular password when you log in from a new computer. That could help prevent theft of future passwords.
It also wouldn't hurt if more people used stronger passwords.
Graham Cluley, an independent security expert, told Reuters that people commonly use simple passwords that are notoriously easy to crack.
"They are totally useless," he said.