Almost 2 million stolen passwords uncovered in cybercrime haul

Graham Cluley
Graham Cluley
@[email protected]

Treasure chestSecurity researchers at Trustwave have uncovered a stash of almost two million usernames and passwords, stolen by cybercriminals from users of Facebook, Twitter, Google, Yahoo, LinkedIn and many other sites.

The researchers managed to gain access to a server controlling an instance of the malicious Pony botnet, and were able to access the administrator’s dashboard giving detailed statistics of the number of login credentials stolen from malware-infected computers.

According to a blog post published by Trustwave, the statistics for the types of login credentials contained within the criminal database broke down as follows:

  • Approx 1,580,000 website login credentials stolen
  • Approx 320,000 email account credentials stolen
  • Approx 41,000 FTP account credentials stolen
  • Approx 3,000 Remote Desktop credentials stolen
  • Approx 3,000 Secure Shell account credentials stolen

What’s happened here is clear. Innocent users’ computers have become infected with malware, which grabbed login details as they were entered by users. This data was then transmitted to the cybercriminals – either so they could access the accounts themselves or (more likely) sell on the details to other online criminals.

Sign up to our free newsletter.
Security news, advice, and tips.

And the consequences of such a security breach happening on your computer are clear, as the following list of domains most commonly found in the haul shows.

Stolen passwords, sorted by domain

It’s no surprise to see the likes of Facebook, Yahoo and Google rank so highly as they are immensely popular. If you were one of the people unlucky enough to have been caught by this malware, criminals could now be accessing your webmail and social networking accounts – perhaps without you realising.

Bad guy accessing Google accountThat’s why it’s important to turn on facilities like Facebook’s Login Notifications and Login Approvals, or Google’s 2-step verification.

Such services can warn you if your account is accessed in an unexpected way (such as from a computer you have not used before), and force you to authorise the login via a second device (such as your mobile phone).

But it’s not just social networking passwords and webmail login details that the cybercriminals appear to have stolen. For instance, in a surprisingly high ninth place in the list is payroll service provider ADP, which could potentially result in financial repercussions for companies concerned.

A list of the top 10 passwords found in the stash reveals a worryingly predictable story of the extremely poor choices made by users:

# Password Count
1. 123456 15820
2. 123456789 4875
3. 1234 3135
4. password 2212
5. 12345 2094
6. 12345678 2045
7. admin 1991
8. 123 1453
9. 1 1224
10. 1234567 1170

Pretty pathetic, isn’t it?

Once again, and I’m sorry if I’m beginning to repeat myself but clearly people aren’t getting the message, there are some important lessons here.

Choose better passwords. Many of the passwords revealed in the haul are clearly rubbish. They’re too easy to guess, and not difficult for hackers to crack. Use a password management software like Bitwarden, 1Password, and KeePass to generate more complex passwords in future.

Stop using the same passwords. A worrying number of people use the same passwords for multiple websites. Stop doing that right now. It doesn’t look like this particular haul of passwords came about as a website hack, but remember that if you use the same password on more than one website it only requires one of them to suffer a security breach for lots of your accounts to be compromised. Again, password management software can remember lots of different passwords for you, so you don’t have to.

Keep your security up-to-date. These credentials managed to be stolen because computers were not properly protected. Updated anti-virus software and the latest security patches are essential, as is being careful about what software you install and being wary of clicking on unsolicited links.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.

Learn more about this latest discovery in Trustwave’s blog post.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Almost 2 million stolen passwords uncovered in cybercrime haul”

  1. Chas

    Plethora of spam today with virus attached. Most pretending to be Amazon. Also, LloydsTSB, RoyalMail, O2, HSBC + "photo" from AOL email.

  2. Peter

    Interesting to note that accounts from hotmail/live/outlook aren't in that top ten list, is there something about that set that makes them more secure?

  3. The key issue is to choose DIFFERENT passwords for different accounts (certainly at least for critical accounts). A lot of advice about these password leaks is misleading and gives the impression that just choosing a better password will offer protection.. but if you re-use that password everywhere it doesn't matter how secure it is because it will leak out eventually.

    1. John · in reply to Conrad Longmore

      About a decade ago I started getting worried about my own password behaviour. So I changed to a password generator. At the time it was more cumbersome than it is nowadays. Years later, and on a different product (Roboform in my case, but there are certainly other alternatives as well) The great thing of my life: I do not even know my own passwords anymore. Yes, that is a really comforting thought., My passwords are long (preferrably 30 characters or more, if the service/website allows for those long passwords) , they are randomly generated, and just one click away, so my computer experience isn't compromised. On the contrary, it has become more easy.

      Of course, there is a master password to such a system that needs to be extremely secure, yet easy to remember, and is changed over time.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.