Security researchers have discovered more than two million stolen passwords for Facebook, Twitter, Google, Yahoo, LinkedIn and other online services.
The list of stolen passwords was discovered by researchers from security firm Trustwave on a server controlling a botnet of hijacked computers.
Security experts believe the details were collected by cyber criminals using malware designed to log keystrokes on infected computers, according to the BBC.
Criminal gangs typically harvest login credentials either for their own use or to sell to other criminals.
Facebook told the BBC that the social networking firm was not at fault, and that this security risk was due to infected user machines.
"While details of this case are not yet clear, it appears people's computers may have been attacked by hackers using malware to scrape information directly from their web browsers," a spokesman said.
The researchers were able to access the botnet administrator’s account to view detailed statistics of the number of login credentials stolen from malware-infected computers.
According to a blog post published by Trustwave, the criminal database included login credentials for websites, email, FTP, remote desktop and secure shell accounts.
More on passwords
- Do not overlook the weak link in IT security
- Will a password-strength meter lead to stronger passwords?
- PayPal CISO hopes FIDO Alliance can help replace weak passwords
- Password-based authentication: A weak link in cloud authentication
- Millions of internet users trust weak passwords, research reveals
- Intel lends a hand eliminating passwords
- Internet scan finds thousands of device flaws, system weaknesses
- Verizon data breach report shows weak passwords at root of 2011 data breaches
- Remote administration software weaknesses plague businesses
- IT industry group releases password-killing standard
- Password security best practices: Change passwords to passphrases
- Password compliance and password management for PCI DSS
- Internet users prefer weak passwords
Facebook users have been worst hit by the malware with around 318,000 Facebook accounts listed in the database, followed by 70,000 Google-related accounts, 60,000 Yahoo accounts and 22,000 Twitter accounts.
Trustwave said it had notified all affected companies about the security breach before publishing the details.
Criminals could be accessing the webmail and social-networking accounts of anyone caught by this malware without them realising it, warned independent security consultant Graham Cluley.
Cluley said these services are designed to warn users if their account is accessed in an unexpected way such as from a computer not used before.
He also highlights that payroll service provider ADP is among the services for which hackers had stolen credentials, which could potentially result in financial repercussions for companies concerned.
The discovery highlights the importance of choosing better passwords, with many of those listed in the criminal database easy to guess or crack such as “password” and “admin”.
Analysis by Trustwave revealed that the most popular password is “123456”, which was listed in the criminal database more than 15,000 times.
Cluley recommends using password-management software such as LastPass, 1Password, and KeePass to generate more complex passwords.
He also said people should stop using the same passwords for multiple websites because once a single account is compromised, all others using the same password are at risk.
Finally, Cluley said it is important to keep security software up to date because the passwords were stolen using malware that an up-to-date anti-malware package would have blocked.