Updated 02:16 AM EDT, Tue, Oct 27, 2020

2 Million Compromised Google, Twitter, and Facebook Passwords Found in Pony Botnet Sweep

  • +
  • -
  • Sign up to receive the lastest news from LATINONE
(Photo : Reuters)

Cybersecurity researchers have uncovered a trove of password information on a server in the Netherlands containing stolen credentials for nearly two million accounts including Twitter, Yahoo, Google, and Facebook.

SpiderLabs, the ethical hacking division of data security company Trustwave, revealed that it has found a cache of log-in credentials on a server based in the Netherlands in its latest sweep for fallout from a set of malicious programs called the Pony botnet. SpiderLabs' hackers were able to gain access to an administrator control panel for the server to see what information the botnet had soaked up.

The company published its findings on its blog, disclosing that the latest sweep found compromised passwords affecting accounts on more than 93,000 websites, including many Facebook, Yahoo, Twitter, and Google-owned properties.

In total, 1.58 million website login credentials and 320,000 email account credentials were stolen, with 41,000 FTP (file transfer protocol) accounts and a total of about 6,000 remote desktop and secure shell account credentials listed as well. Some of the log-ins were old and irrelevant, but many were not, and the cybersecurity firm Trustwave has alerted the companies affected by the breach.

SpiderLabs posted the number of passwords stolen per each website as follows:

318,000 Facebook accounts

70,000 Google accounts (including Gmail, Google+, and YouTube)

60,000 Yahoo accounts

22,000 Twitter accounts

9,000 Odnoklassniki accounts (a social network in Russia)

8,000 ADP accounts

8,000 LinkedIn accounts

If your log-in information was one of those listed, it's likely the affected website would have already contacted you asking you to change your password already.

According to IDG, Facebook has said it had reset passwords for the affected accounts, as did ADP, which is a more immediate concern, as it's a payroll administration company. LinkedIn said it had already invalidated the credentials on the list, and Twitter reset some accounts after being notified by Trustwave last week.

SpiderLabs also looked into the location of accounts with stolen credentials.


From the geo-location list, you might think that most of the attack focused on Dutch user accounts, but SpiderLabs cautions that "most of the entries from the NL [Netherlands] IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well." In fact, wrote SpiderLabs, there are 92 more countries not shown on the list, "indicating that the attack is fairly global and that at least some of the victims are scattered all over the world." The U.S. accounted for fewer than 2,000 compromised passwords.

The malware, Pony Botnet 1.9, responsible for these stolen passwords is a very powerful keylogging program, according to Laboratorio Malware, that can run undetected, in the background and capture the login credentials of users when they access websites, including those with HTTPS security. It can also infect web servers to steal passwords, though there is no evidence that any of the websites listed were infected.

On the lighter side, SpiderLabs was able to scrutinize the password data stolen, coming up with a list of the top 10 passwords out of the almost two million credentials found. Judging by the top 10 list, hackers didn't need a botnet to crack into these Fort Knoxian accounts. The most popular password was 123456, followed by the "stronger" 123456789 and much weaker 1234. (Seriously, never use passwords like that.)

The fourth most popular password?


© 2015 Latin One. All rights reserved. Do not reproduce without permission.
  • Sign up to receive the lastest news from LATINONE


Real Time Analytics