Two million Facebook, Gmail, Yahoo and Twitter accounts stolen and posted online

Douglas Crawford

Douglas Crawford

December 5, 2013

Now might be a good time to change all your passwords, as the BBC reported today that passwords for more than two million accounts belonging to users of popular email and social networking services Facebook, Gmail, Yahoo and Twitter (plus Russian websites VKontakte and Odnoklassniki) were discovered posted for all to see on a Russian website.

The discovery was made by researchers from security company Trustwave while investigating incidences in the wild of the botnet known as ‘Pony’. The actual number of discovered stolen passwords is:

  • 1,580,000 website login credentials stolen
  • 320,000 email account credentials stolen
  • 41,000 FTP account credentials stolen
  • 3,000 Remote Desktop credentials stolen
  • 3,000 Secure Shell account credentials stolen

nicked passwords 2
This graph was taken from the website’s control panel, and shows stolen passwords by Day. A total of 318,121 username and password combinations were in the database

It is not known how current these passwords are or for how long they have been collected, but as Trustwave researcher Graham Cluley observed,

‘We don’t know how many of these details still work, but we know that 30-40% of people use the same passwords on different websites. That’s certainly something people shouldn’t do.”

Interestingly, if depressingly predictably, the passwords used were typically very insecure, with 123456 being the most popular.

nicked password
(password: number of incidences found)

Only 23% of passwords were rated as Good or Excellent, and 33% were rated as Bad or Terrible. Commenting on such poor choice of passwords, Mr Cluley said ‘It’s as much use as a chocolate teapot… absolutely useless.’

That websites and were on the list ‘probably indicates that a decent portion of the victims comprised were Russian speakers’, but unfortunately because the Pony botnet used a reverse proxy to avoid detection, ‘it does prevent us from learning more about the targeted countries in this attack, if there were any’.

Facebook and Twitter have announced that all discovered passwords have been reset, while Google pointed to this blog post, which recommends using 2-step authentication on Gmail accounts. Facebook also advised users to protect themselves against this form attack by turning on Login Approvals and Login Notifications in their security settings.

Exclusive Offer
Get NordVPN for only