BOSTON -- Security experts have uncovered a trove of some 2 million stolen passwords to websites including Facebook, Google, Twitter and Yahoo from Internet users across the globe.
Researchers with Trustwave's SpiderLabs said they discovered the credentials while investigating a server in the Netherlands that cyber criminals use to control a massive network of compromised computers known as the "Pony botnet."
The company told Reuters on Wednesday that it has reported its findings to the largest of more than 90,000 websites and Internet service providers whose customers' credentials it had found on the server.
The data includes more than 326,000 Facebook (FB) accounts, some 60,000 Google (GOOG) accounts, more than 59,000 Yahoo (YHOO) accounts and nearly 22,000 Twitter (TWTR) accounts, according to SpiderLabs. Victims' were from the United States, Germany, Singapore and Thailand, among other countries.
Representatives for Facebook and Twitter said the companies have reset the passwords of affected users. %VIRTUAL-article-sponsoredlinks%A Google spokeswoman declined comment. Yahoo representatives couldn't be reached.
SpiderLabs said it has contacted authorities in the Netherlands and asked them to take down the Pony botnet server.
Graham Cluley, an independent security expert, said it is extremely common for people to use such simple passwords and also re-use them on multiple accounts, even though they are extremely easy to crack.
"People are using very dumb passwords. They are totally useless," he said.
You Thought You Were Safe? The Myths and Realities of Your Online Security
Cyber Experts Uncover 2 Million Stolen Passwords to Web Accounts
For years, security professionals have emphasized the importance of shredding your personal documents before you throw them out. But Holland notes that shredding isn't as much of a priority as it used to be. "There aren't nearly as many documents with personal information out there as there were even just two years ago," he explains. "These days, it's much easier to get your information off your computer."
Passwords are your first line of defense against intruders. But, as Holland points out, even the most careful people sometimes have password breaches. "I've helped chief privacy officers from health care and security firms," he notes. "If they're getting hit, then anyone is vulnerable." While Holland notes the importance of having a good password, he emphasizes that the most important thing is paying attention to password breach notifications. If you hear that one of your passwords may have been breached, he counsels, change it immediately. And, because many of your accounts may be linked, he notes, it's not a bad idea to change the rest of your passwords as well.
One piece of advice that you don't often hear is to keep on top of software updates. But, Holland argues, updating your operating system, your software, and your security programs is one of the easiest and most important ways to ensure your security. Software companies spend a lot of time and money trying to stay ahead of online intruders -- it only makes sense to take advantage of their work.
Even if you are convinced that your security is state-of-the-art and your password is unbreakable, it never hurts to double-check your most sensitive accounts. Holland suggests regularly checking your bank and credit card statements to ensure that there aren't any inappropriate charges on your accounts. As a side benefit, this is also a great way to catch any unexpected fees that your bank may try to spring on you.
When a breach happens, a fast response can mean the difference between a minor annoyance and a major pain in the neck. With that in mind, Holland suggests talking to your bank about having transaction alerts placed on your account. Every time your account is credited with a transaction over a particular amount -- $50, for example -- your bank will send you an e-mail or text notification. If it's an expected transaction, you can discard the message; if not, you'll be able to respond immediately.
Every year, you are entitled to a free credit report from each of the reporting bureaus. Holland suggests taking advantage of this free service, noting that your credit report is a great way to track your outstanding debts and ensure that nobody is trying to open false accounts in your name. He emphasizes, however, that the best way to get your free report is by going to AnnualCreditReport.com, not FreeCreditReport.com. "That site's a scam," he laughs.