Over 2m Facebook, Twitter, Gmail accounts compromised in massive hack

More than two-million accounts for users of popular online services including Facebook, Twitter, Gmail and Yahoo have been compromised after malware captured, among other things, their login credentials.

According to online security specialists Trustwave, a new fork of the Pony malware — stronger than previous iterations — has helped hackers steal millions of passwords over the past couple of weeks.

While the malware has predominantly targeted well-known western sites such as Facebook, Google, Yahoo, Twitter and LinkedIn, it’s also gone after users of Russian social networks VK and Odnoklassniki. Trustwave reckons that this means a decent portion of the victims comprised were Russian speakers.

Its research also shows that payroll service provider adp.com was among the top sites compromised. As it notes, “Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions”.

According to Trustwave, the effected accounts didn’t exactly make things difficult for the hackers either. Take a look at the top 10 passwords for the accounts infiltrated by the malware:

Indeed, a whole lot of the passwords used by the infected accounts weren’t exactly what you’d call top-notch. Trustwave grouped the length and type of characters used in the passwords to get a gauge on their complexity and this is what it found:

“In our analysis”, says Trustwave, “passwords that use all four character types and are longer than 8 characters are considered “Excellent”, whereas passwords with four or less characters of only one type are considered ‘Terrible’.

Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category”.

The security company also believes that its analysis of the malware breach shows that our security habits are only getting worse. It compared the results of this breach with an analysis performed on leaked Myspace accounts in 2006.

Back in 2006 the top ten most common passwords reportedly comprised only 0.9% of the total count. Today, in 2013, they add up to 2.4%. Trustwave notes however that “this could be a result of Myspace having a minimum complexity policy, while in our data we have various domains with differing password complexity requirements”.

If that’s really the case though, it’s an indication that people would still far rather have a password that’s easy to remember than one that’s actually safe.

The message? It’s down to individual websites to make sure their users don’t have easily hacked passwords. “If you don’t enforce a password policy,” the company says, “don’t expect your users to do it for you”.