2 million stolen login credentials discovered for Facebook, Google, LinkedIn, Twitter, other sites

Almost 2 million stolen website and email login credentials were found on a botnet command-and-control server, with most of the compromised accounts belonging to Facebook, Google, Yahoo, Twitter, LinkedIn and other popular services.

[Source code and 2.9 million accounts raided by attackers in Adobe breach]

Security vendor Trustwave discovered the C&C server, which was located in the Netherlands. Creators of the botnet, comprised of more than 93,000 compromised personal computers, used malware and management software known as Pony.

The credentials were not stolen directly from the sites, but from the compromised personal computers, John Miller, security research manager at Trustwave, said Wednesday. The PCs were infected with the Pony malware, which had been installed when the computer users clicked on a malicious link sent via spam.

"Even though they're accounts for online services such as Facebook, LinkedIn, Twitter and Google, it's not a result of any weakness on those companies' networks," Miller said.

The security vendor discovered almost 1.6 million website login credentials and roughly 300,000 email credentials. While many of the stolen usernames and passwords were used for the most popular U.S. sites, Trustwave also found those for two social networks aimed at Russian speakers, vk.com and odnoklassniki.ru.

The discovery was an indication that a significant number of victims were Russian speakers. Trustwave estimates the botnet operators had compromised systems in about 100 countries.

Along with the email and website credentials, Trustwave also found almost 50,000 usernames and passwords for other services, including the remote desktop application in Windows used to login to other computers.

In addition, there were credentials to FTP servers used to upload and download files and to secure shell accounts, which are remote command-line logins used by administrators to manage servers.

Among the top domains used by the compromised accounts was that of the payroll service provider ADP. Having credentials for the site adp.com could be lucrative, because the attackers could have access to bank account information and have the ability to cut checks or change payment recipients, Miller said.

Trustwave notified the affected sites and turned over the credentials for the compromised accounts. In addition, the vendor notified the Netherlands Computer Emergency Response Team (CERT) about the C&C server.

Pony malware and controller software used in managing networks is found in botnets belonging to many groups of cybercriminals. Trustwave could not determine the operators of the recently discovered botnet.

Many of the stolen passwords were found to be extremely weak. The top 10 included a series of consecutive numbers between one and eight, as well as "password" and "admin."

For companies, the discovery is a warning to constantly remind employees not to click on links in suspicious emails, to choose strong passwords, preferably a combination of letters, numbers and characters; and to avoid using the same password across online services.

[Facebook forces some users to reset passwords because of Adobe data breach]

In addition, companies need to be diligent in keeping browser plugins, such as Java and Adobe Flash and Acrobat, up to date with the latest patches, Miller said. Anti-virus software is useful in detecting malware, as well as network-monitoring software that can spot unusual traffic between an office computer and a remote server.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessecurityinternetFacebook

More about Adobe SystemsCERT AustraliaComputer Emergency Response TeamFacebookGoogleTrustwaveYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place