2 Million Facebook, Twitter, LinkedIn and Gmail Accounts compromised by Hackers

Dec 6, 2013

Over 2 million accounts from Facebook, Twitter, LinkedIn and Gmail have been compromised by hackers. This was done by man-in-the-middle attack by hackers, using a malware to record login credentials of users.

~1,580,000 website login credentials stolen
~320,000 email account credentials stolen 
~41,000 FTP account credentials stolen
~3,000 Remote Desktop credentials stolen
~3,000 Secure Shell account credentials stolen

2 Million Facebook, Twitter, LinkedIn and Gmail Accounts compromised by Hackers

A web security firm TrustWave, is reporting that hackers used Pony malware to infect users’ systems, then using key-logging capabilities, recorded user passwords for Facebook, Twitter, LinkedIn and Gmail.

”Although these are accounts for online services such as Facebook, LinkedIn, Twitter and Google, this is not the result of any weakness in those companies networks," said Abby Ross, a spokesperson for Trustwave. "Individual users had the malware installed on their machines and had their passwords stolen.

Pony steals passwords that are stored on the infected users' computersas well as by capturing them when they are used to log into web services.”

According to the report, the malware was sending the logged information to a server in the Netherlands, and targets were computer users in the US, Germany, Singapore, Thailand and others. What points at this activity to be more criminal in nature, than just some blackhat, trying to piss people off is the fact that the recorded user-credentials have not been posted online. Criminals have been known to utilize user-credentials in order to invade bank accounts and identity theft.

In spite of global efforts by a variety of service and social media websites, weak passwords remain a continuous problem. According to Trustwave,

"In our analysis, passwords that use all four character types and are longer than 8 characters are considered 'excellent,' whereas passwords with four or less characters of only one type are considered 'terrible,'" Trustwave wrote on its blog. "Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the medium category.”

So, if you were responsible for keeping your birth date, announced on Facebook, as the password to your bank account, well you are pretty much asking for it.