A team of security experts claim that more than two million user login details have been posted online, with some of these used for accessing popular websites like Facebook, Google, Twitter and Yahoo.
Researchers from security firm Trustwave recently came across a Russian-language website containing the stolen passwords and say that this information was most likely gleaned from users' PCs by malicious software which logs key presses.
Detailing its findings on a blog post, Trustwave said that it believed the passwords were harvested by the ‘Pony' botnet, which would have trawled thousands of infected PCs worldwide.
The team was less clear on who was responsible for the attack – although it believes an unspecified criminal gang is most likely – or on how old the information could be.
The website claims to offer 318,121 username and password combinations for Facebook, while Google, Yahoo, Twitter and LinkedIn credentials were also compromised. Approximately 320,000 email account credentials are also said to have been stolen.
Trustwave found that “123456” was the most popular password, showing up 15,000 times in the last month, with the insecure term ‘password' featuring prominently too. Just last month approximately 38 million Adobe passwords were hacked with the same code, which remains one of the most popular passwords.
Larry Spohn, senior security consultant at IT security firm TrustedSec, responded to the news by saying that education and awareness are important from the end user's perspective, but admitted that the security solutions available are not up to scratch.
“The technical controls available right now are nowhere near where they need to be to detect or block an attack like this,” Spohn told SCMagazineUK.com.
“Antivirus clients are only detecting about 2 percent of the threats that are actually permeating the Internet right now and it is incredibly easy to modify existing malware to evade antivirus signatures. Knowing how to react when clicking on a link that asks to download a file and/or execute on you local computer is your best defence.”
Spohn added that users should try and keep software up-to-date with the latest security patches, and urged them to install Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a free tool which blocks malware developers using some basic techniques to exploit software vulnerabilities. Alternatively, he advises changing the PC's DNS servers to protect the user from visiting “bad” hosts on the internet.