Pony botnet scam sees 2 million stolen Google, Facebook and Yahoo passwords dumped online

According to researchers, scammers have scooped up more than two million passwords for sites like Facebook, Google, and Yahoo - but it appears that the data was stolen via malware-infected machines rather than a hack of those companies' systems.

Trustwave's SpiderLabs dug into source code from the Pony botnet, which was recently made public, and made some startling discoveries. The botnet managed to steal credentials for 1.58 million websites, 320,000 email accounts, 41,000 FTP accounts, 3,000 remote desktops, and 3,000 secure shell accounts.

Looking at the domains from which those passwords were stolen, Facebook was the most popular victim, accounting for 318,121, or 57 per cent. Yahoo came in second with about 60,000, followed by Google Accounts (54,437), Twitter (21,708), and Google.com (16,095). Also on the list was LinkedIn (8,490 passwords) and payroll provider ADP (7,978), which Trustwave said was surprising.

"Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions," the firm wrote in a blog post.

The presence of Russian social networks vk.com and odnoklassniki.ru on the list, meanwhile, "probably indicates that a decent portion of the victims comprised were Russian speakers," Trustwave added.

The Pony botnet used a reverse proxy to avoid detection and continue the scam as long as possible.

"Outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," Trustwave said. "While this behaviour is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any."

Trustwave also didn't have more details about how passwords were obtained; it's possible the malware logged keystrokes. The data did reveal, however, that many of us need to step up our password game. Almost 16,000 accounts used "123456" as their passwords, while 2,212 used "password" and 1,991 used "admin."

Overall, only five per cent of the two million passwords are what Trustwave considers to be excellent - passwords that use all four character types and are longer than eight characters. Another 17 per cent are good, 44 per cent are medium, 28 per cent are bad, and six per cent are terrible.