More than two million passwords from popular social media sites including Facebook, LinkedIn and Twitter have been stolen and posted online by hackers.
The attack has been described as “fairly global” with victims “scattered all over the world”, although the vast majority of comprised users (some 96.66 per cent) were using computers with IP addresses located in the Netherlands.
Security researchers employed by Trustwave stumbled upon the hoard of stolen data whilst investigating a botnet known as ‘Pony’. Botnets are networks of hacked computers created by criminal gangs to use for a number of illegal tasks online, although it’s thought that these passwords were stolen using keylogger software.
A previous attack using the Pony botnet was described by the researchers as “hit-and-run operation,” whilst this attack was carried out over a number of weeks with the hackers taking in a “fairly stable and consistent” number of passwords each day.
Other sites targeted included Russian social media sites vk.com and odnoklassniki.ru, as well as Google and Yahoo. Trustwave notified the sites involved before posting their findings online, and spokespersons from both Facebook and Twitter have told the Huffington Post that accounts found on the list have had their passwords reset.
However, it seems that the passwords themselves were not doing much to help protect users in the first place. The researchers noted that the top ten most commonly used passwords in the list included “123456”, “123456789”, “1234”, “password” and “1”.
“And it all goes downhill from there,” wrote the researchers in a blog post. “There were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category.”
Whilst a similar cache of leaked Myspace passwords from 2006 revealed that the top ten most common passwords comprised 0.9 per cent of the total, this recent leak ups that percentage to 2.4.
However, there is some good news, as users are apparently using longer passwords more consistently. Passwords with more than 10 characters made up 17 per cent of the total in 2006, and in 2013 this figure has risen to 46 per cent.