Password hack nets 2 million Facebook, Twitter users

Hackers have stolen almost two million passwords for large websites including Facebook, Twitter and Gmail, in a massive security breach discovered by authorities in the Netherlands.

According to internet security firm Trustwave, roughly twomillion credentials to log into some of the world's most popular websites and email services have been stolen in a sophisticated scheme.

According to the company, the keystone appears to be a server that was infecting other computers, turning them into "zombies" to collect more log-in informationand relay the information back to thePonybotnet, which has been tied to maliciouscyberactivityin the past.

Users in 92 countries and 93,000 different websites are believed to beaffected.

"As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc.," Trustwave said on its website.

The company sayshackers stoleat least:

• 318,000 Facebook accounts
• 70,000 Gmail accounts
• Almost 60,000 Yahoo accounts
• 21,000 Twitter passwords
• 8,500 LinkedIn accounts
• 41,000 FTP account credentials

In total, some1,580,000website login credentials were stolen, in addition to320,000email account credentials.

Some of the larger affected websitesincluding Facebook, Twitter and Gmail, say they are aware of the breach and have notified and reset the passwords of affected accounts.

Two Russian websites were high on the list, a sign that the country could be tied to the attack. And Trustwave noted the presence of job staffing firm ADP.com in the mix.

ADPissues a closely watched index of U.S. jobs that often moves markets.

"Facebook accounts are a nice catch for cyber-criminals, but payroll services accounts could actually have direct financial repercussions," Trustwave noted.

The payroll firm says it doesn't think its systems were compromised, however.

"At this time, ADP has determined that none of its internal networks and servers has been compromised, and no intrusion has occurred," ADP said in a statement on its website.

Still, the presence on non-traditional accounts on the list is what has cybersecurity experts so troubled by the scope of the breach.

Bank info the goal

"The goal isnt to gain control over social media,the plan is to get thatpassword and knowing that it's human nature to use the same password everywhere," says Avner Levin, the director of Ryerson's privacy and cybersecurity program.

"Maybe there was acredit card receipt delivered to your email. Theycan piece it together [and] thats where they can make the money for their operations."

It's old advice, but Levin says the best thing people can do to avoid such security breaches is to not use the same passwords across multiple accounts, and make them hard to crack.

"Even if we had like two or three, it would really stymie a lot of these attempts," he said.

As is common withsecurity breaches like this, Trustwave says people aren't taking security issues seriously enough. At least 16,000 of the stolen passwords for accounts were "123456" and others such as "111111" and "password" featured prominently in the hack.