Some 2 million user credentials for Facebook and other top services have appeared on a Russian-language website, likely thanks to malware installed on users’ computers, experts tell the BBC. They believe a crime ring was probably behind the dump, which claimed to include 318,121 Facebook usernames and passwords, along with login details for users of Google, Yahoo, Twitter, LinkedIn, and Russian sites. “We don’t know how many of these details still work,” says a security researcher.
SpiderLabs says it uncovered the bounty of potentially valuable (and often ridiculously simple) log-ins during its latest Internet sweep for the Pony botnet controller, a malware-spreading set of programs which the researchers say they’re increasingly encountering online. This means the passwords were not leaked by Facebook and the like, but from thousands of infected computers that collected the data when users logged onto their accounts.
Whether or not the passwords are current or out-dated is unknown, but the attack appears to be “fairly global,” SpiderLabs reports. “At least some of the victims are scattered all over the world.” What’s more, many of the passwords were fairly simple, with that old chestnut “123456” topping the list as the password for 15,820 accounts. (“12346789” came in at number two with 4,875 instances.) This could mean extra bad things the 30 to 40 percent of Internet users who use the same password on multiple accounts — say Facebook … and their bank account.
“Facebook takes people’s information security extremely seriously and we work hard to protect it,” a Facebook spokesperson said in a statement. “While details of this case are not yet clear, it appears that people’s computers may have been attacked by hackers using malware to scrape information directly from their Web browsers.”
Facebook’s recommendation is to engage the site’s two-factor authentication, which requires a passcode from your phone as well as your standard password. Twitter, Yahoo, Google and others also have an option like this, so it helps to look into the settings of all of your major Internet services.
But hey, it’s always a good day to change your password, too.
Source: NBC News