2 million Facebook, Gmail and Twitter passwords stolen in massive hack

Share Your Thoughts: Facebooktwitterlinkedin

From the Trustwave Spiderlabs Blog

Some two million compromised accounts were found on a Netherlands based server using a botnet controller, with the nickname “Pony.” In a blog post on Tuesday coauthored by Trustwave SpiderLabs’ security researchers, Daniel Chechik and Anat Fox Davidi, the researchers said that “one of the latest instances we’ve run into is larger than the last with stolen credentials for approximately two million compromised accounts.” At some point, the two said, the source code for Pony was leaked. “With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9.”

  • 1,580,000 website login credentials stolen
  • 320,000 email account credentials stolen 
  • 41,000 FTP account credentials stolen
  • 3,000 Remote Desktop credentials stolen
  • 3,000 Secure Shell account credentials stolen

As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc.


Michael Mimoso of Threatpost, the news service of Kaspersky Lab, in his observations about the discovery, said that “Since the Pony controller source code was leaked earlier this year, researchers have been finding more of them online used to manage botnets big and small.”

Another revelation – similar to that of the recent Adobe Hack (see ) is many computer users have not dropped poor password-making habits that are vulnerable to credential theft. The impulse continues to be in creating a password that is merely easy to remember. “So what’s worse,” said Mimoso, “finding two million passwords harvested by a botnet, or learning that most of the stolen passwords are terribly weak?”

The list had passwords such as 123456, 123456789, 1234, and “password.” Spider Labs rated six percent of the passwords “terrible,” 28 percent “bad,” 44 percent “medium,” 17 percent “good,” and just five percent “excellent.”

The hacking campaign started secretly collecting passwords on Oct. 21, and it might be ongoing: Although Trustwave discovered the Netherlands proxy server, Miller said there are several other similar servers they haven’t yet tracked down.

A greater threat than leaked social media accounts

According to Threatpost: “While the Facebook logins found inside this particular Pony instance are useful for social engineering capers, phishing scams and targeted attacks, the ADP logins are a link to cold hard cash.”

“It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list,” wrote Trustwave SpiderLabs researchers Daniel Chechik and Anat Davidi. “Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions.”

Enhanced by Zemanta
Share Your Thoughts: Facebooktwitterlinkedin