View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 5, 2013

Two million Facebook and Yahoo passwords appear online

Data was taken from computers infected with malicious software.

By Ben Sullivan

More than two million passwords belonging to Google, Facebook and Yahoo accounts have been posted online by a criminal gang.

It is believed the data was attained by key stroke logging malware infecting computers across the world.

It is not yet known hold old the data is, but experts have warned that it could still pose a risk as many people don’t update their passwords often enough.

Security expert Graham Cluley said on his website: "What’s happened here is clear. Innocent users’ computers have become infected with malware, which grabbed login details as they were entered by users. This data was then transmitted to the cybercriminals – either so they could access the accounts themselves or (more likely) sell on the details to other online criminals.

The site containing the passwords was discovered by researchers at Trustwave.

In a blog post outlining its findings, the team said it believed the passwords had been collected by a large botnet, that’s been dubbed Pony, that had scooped up information from thousands of infected computers worldwide.

Brian Spector, CEO of CertiVox, said: "The news that over two million stolen passwords for some of the biggest online services in the world yet again goes to show the inherent vulnerability faced by organisations through the username and password system. If customers haven’t changed their passwords, they could well see their accounts taken over with all manner of potential damage caused.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

"This is obviously not an isolated incident and with the sheer scale of the information available, it is high time that organisations everywhere took a second look at the security methods that they employ – what is proven time and again is that username and password security systems are inherently weak, offering a wide range of attack vectors to criminals, along with a valuable harvest of private customer information.

"The fact that many users tend to use the same password across multiple online accounts also means that their accounts for other online services could be under threat, not just the ones details have been leaked for. This, coupled with the inherent problems with storing such complete information on one server really adds to the argument that it is time for companies to move beyond username and passwords and find a more secure method."

123456 was the most popular password, being used on 15,820 of the accounts. In second place came 123456789, which was used as a password on 4875 accounts.

These passwords show the same ineffectiveness as those that were revealed by the Adobe hack recently, and the news comes as Ransomware viruses are also on the rise.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.