Want CNET to notify you of price drops and the latest stories?

Researchers discover database with 2M stolen login credentials

The database contains stolen usernames and passwords associated with Facebook, Twitter, Google, Yahoo, and more.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read

Researchers have unearthed an online database full to the brim of stolen account information from popular services including Facebook, Yahoo, Twitter, and Google.

On Tuesday, the security team at Trustwave's SpiderLabs revealed in a blog post that the database contained 1.58 million stolen usernames and passwords. The login credentials were associated with 318,121 Facebook accounts, 21,708 Twitter accounts, 54,437 Google-based accounts, and 59,549 Yahoo accounts. The database also contained approximately 320,000 stolen email account credentials. The remaining number of compromised accounts on the server were FTP accounts, remote desktop details, and secure shells.


Demographically, the Netherlands seemed to be targeted the most, as 97 percent of the stolen credentials belonged to users in that country -- followed by Thailand, Germany, Singapore, and Indonesia. The United States accounted for less than 2,000 stolen credentials.


"A quick glance at the geolocation statistics above would make one think that this attack was a targeted attack on the Netherlands," the researchers said. "Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are, in fact, a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the command-and-control server, which resides in the Netherlands as well."

This, in turn, prevents the researchers from truly knowing which countries were most targeted, if any. In addition, as more than 90 countries were accounted for on the list, it shows the cyberattack was global.

The culprit is called the Pony Botnet controller. Version 1.9 of the botnet is a powerful spy and keylogging type of malware which captures passwords and login credentials of infected users when they access applications and Internet sites. The botnet can be built and hosted directly on a Web site through a CMS control panel, where hooking up to an SQL database automatically will store details harvested from infected users.

The investigation also uncovered terrible password habits of Web site users. The most common passwords were 123456, 123456789, 1234, and simply the word password.

Will we ever learn?

This story originally appeared as "Hacker database exposed; thousands of stolen Facebook, Twitter, Google passwords found" on ZDNet.