Hackers May Have Stolen Your Facebook, Gmail, Or Twitter Password

Impact

The news: Cybersecurity firm Trustwave announced this week the findings of an investigation that revealed nearly two million Facebook, Google, Twitter, Yahoo, and other accounts had been compromised by a massive botnet named "Pony."

Usernames and passwords to the affected sites had been stolen and sent to a server in the Netherlands. Trustwave's staff discovered that the security of over 93,000 websites had been compromised, troublingly including payroll management company ADP. According to their statistics, here's the number of compromised accounts per website:

- 318,000 Facebook (FBFortune 500) accounts

- 70,000 Gmail, Google+ and YouTube accounts

- 60,000 Yahoo (YHOOFortune 500) accounts

- 22,000 Twitter (TWTR) accounts

- 9,000 Odnoklassniki accounts (a Russian social network)

- 8,000 ADP (ADPFortune 500) accounts (ADP says it counted 2,400)

- 8,000 LinkedIn (LNKD) accounts

Image credit: Trustwave

In a blog post titled "Moar Pony," Trustwave broke down the types of access stolen:

- 1,580,000 website login credentials stolen

- 320,000 email account credentials stolen 

- 41,000 FTP account credentials stolen

- 3,000 Remote Desktop credentials stolen

- 3,000 Secure Shell account credentials stolen

Also on the list were vk.com and Odnoklassniki.ru, two Russian social networks, indicating that many of the victims speak the Russian language. Trustwave also encountered some rather embarrassing password habits:

Come on, guys.

Should I panic? If you have to ask, maybe. But Facebook and Google have already taken action to have compromised users reset their account passwords, as has ADP, the payroll company.

But security researcher Graham Cluley told the BBC that "30-40%" of users use the same passwords on different websites, meaning that many users could be compromised on other sides if they use the same login credentials.

The breach was discovered on Nov. 24. The botnet had been operating for at least a month. Researchers don't know how many computers could be affected, and no one knows how many other botnets are silently collecting data across the internet.

What can I do to protect myself? While there's no way to protect yourself against government-sanctioned internet spying, there's plenty of ways to protect yourself against cybercriminals. Step one is building high-security passwords and varying them between sites, while step two is downloading anti-virus and anti-malware software like Spybot: Search & Destroy and keeping it up to date with the latest malware recognition updates installed. Step three is using the internet cautiously. Don't be an idiot.