Hacker database exposed; thousands of stolen Facebook, Twitter, Google passwords found

Researchers have uncovered a database where over two million stolen login credentials are being stored. Facebook, Twitter, Google and Yahoo accounts are in the mix.
Written by Charlie Osborne, Contributing Writer

Researchers have unearthed an online database full to the brim of stolen account information from popular services including Facebook, Yahoo, Twitter and Google.

On Tuesday, the security team at Trustwave's Spider Labs revealed in a blog post that 1,580,000 usernames and passwords on the server are website accounts, including 318,121 Facebook login credentials, 21,708 Twitter accounts, 54,437 Google-based accounts and 59,549 Yahoo accounts. 320,000 email account credentials were also stolen, and the remaining number of compromised accounts on the server are FTP accounts, remote desktop details and secure shells.

Credit: Spiderlabs

Demographically, the Netherlands seemed to be targeted the most, as 97 percent of the stolen credentials belong to users in the country -- followed by Thailand, Germany, Singapore, and Indonesia. The United States accounted for less than 2,000 stolen credentials.

Screen Shot 2013-12-04 at 11.39.39
Credit: Spiderlabs

"A quick glance at the geo-location statistics above would make one think that this attack was a targeted attack on the Netherlands," the researchers said. "Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well."

This, in turn, prevents the researchers from truly knowing which countries were most targeted, if any. In addition, as over 90 countries were accounted for on the list, it shows the cyberattack was global.

The culprit is called the Pony Botnet controller. Version 1.9 of the botnet is a powerful spy and keylogging type of malware which captures passwords and login credentials of infected users when they access applications and Internet sites. The botnet can be built and hosted directly on a website through a CMS control panel, where hooking up to an SQL database will automatically store details harvested from infected users.

The investigation also uncovered terrible password habits of website users. The most common passwords were "123456," "123456789," "1234" and "password." Will we ever learn?

Editorial standards