According to researchers at Spiderlabs, criminals have scooped up more than 2 million passwords for sites such as Facebook, Yahoo and search engine giant Google, but it appears that the data was stolen via malware-infected machines rather than a direct hack of their systems.

Trustwave‘s SpiderLabs delved into source code from the Pony botnet and made some staggering discoveries.  The botnet managed to steal credentials for; 1.58 million websites, 320,000 email accounts, 41,000 FTP accounts, 3,000 remote desktops and 3,000 secure shell accounts.

Further research into the domains from which those passwords were stolen, Facebook was the most popular; it accounted 57 percent or 318,121. Yahoo came in second with approximately 60,000, followed by Google Accounts (54,437), Twitter (21,708) and (16,095). And professionals were also made unsecure, as also on the list was LinkedIn with 8,490 passwords stolen.

Pony Botnet Steals 2 Million Passwords

Worryingly, payroll provider ADP also had 7,978 passwords stolen, which Trustwave said was surprising.  “Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions,” the firm wrote in a blog post.

The Pony Botnet used a reverse proxy to avoid being detected and it continued the scam as long as possible.  Trustwave said, “Outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down…While this behaviour is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.”

Trustwave also didn’t have more details about how passwords were obtained but the data however revealed, that many people need to create better and more complex passwords. Almost 16,000 accounts used “123456” as their passwords, and 2,212 used the word “password” and 1,991 used the word “admin.” Trustwave says overall, only 5 percent of the 2 million passwords are what they consider to be excellent (passwords that use all four character types and are longer than 8 characters).

With organised criminal activities on the rise and the use and misuse of social media such as Facebook and Twitter becoming so prevalent in today’s world, it does make good sense to use excellent passwords to secure your data, doesn’t it?

[Image via mytrickworld]