Security researchers have unearthed a huge trove of hijacked user accounts while unrolling a botnet controller called Pony.
Trustwave Spiderlabs have discovered multiple instances of Pony and say that one such botnet has stolen log in credentials for around two million accounts.
Most of the compromised log in details come from Facebook, but also Yahoo, Google, Twitter, LinkedIn and Russian social network sites vk.com and odnoklassniki.ru.
However, independent security expert Graham Cluley notes that thousands of credentials for payments provider ADP were included in the stash, warning that there could be "financial repercussions for companies concerned."
Cluley says users should turn on two-factor verification and Facebook's login notifications and approvals to protect themselves from account hijackings.
The attack is "fairly global", Spiderlabs said, with 93 countries represented in the geo-located list of Internet Protocol addresses for victims' computers that the researchers put together.
Many of the passwords harvested were very simple using few different characters, with the most common one being "123456" Spiderlabs said.