Cyber security firm Trustwave announced on Tuesday that nearly 2 million online accounts have been hacked, compromising the privacy of user of Facebook, Yahoo, Google, Twitter, and payroll service company ADP in nearly 100 countries. According to Trustwave, the violation was likely achieved using keylogging malware, began on October 21, and is possibly ongoing. CNN reports that Trustwave has alerted affected users of the security breach.
Trustwave says that roughly 1.58 million website logins, 320,000 email accounts, and several other credentials were stolen. According to CNN, the breach affected 318,000 Facebook; 70,000 Gmail, Google+, and YouTube; and 22,000 Twitter accounts, among others. A security research manager at Trustwave told USA Today that though the company cannot prove the information was used, hackers probably did log in to compromised accounts. The most severe repercussions could be for the 8,000 affected ADP users, whose financial information is linked to the service.
Compromised users are mostly concentrated in the Netherlands, followed by Thailand, Germany, Singapore, the United States and others.
A spokesperson for Trustwave said that the companies should not be blamed for the security fail, explaining to Mashable that "Individual users had the malware installed on their machines and had their passwords stolen. Pony [botnet controller] steals passwords that are stored on the infected users' computers as well as by capturing them when they are used to log into web services."
The users, however, may be slightly more culpable. Trustwave did some research using the passwords they recovered and found that many, many people are not heeding the warning to avoid dumb passwords:
In our analysis, passwords that use all four character types and are longer than 8 characters are considered “Excellent”, whereas passwords with four or less characters of only one type are considered “Terrible”. Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category.
They found that the top two passwords among those accessed are 123456 and 123456789. They also found that average MySpace user back in 2006 was better at making up passwords than we are today:
Back in 2006 the top ten most common passwords comprised only 0.9% of the total count. Today, in 2013, they add up to 2.4%.
We are, at least, using longer passwords than we did back in 2006.