Hackers Stole 2M Facebook, Google Passwords: How to Protect Your Accounts

The computer security firm Trustwave suspects the malware program 'Pony.'

ByABC News
December 5, 2013, 11:09 AM

Dec. 5, 2013— -- Any time you logged into Facebook, Google, Twitter, or a host of other popular web services the past month, there may have been a hacker peering over your digital shoulder, sneaking a peek at your password.

The information security company Trustwave has revealed that the passwords to 2 million different accounts have been compromised. The malware program Pony forwarded the vast majority of the passwords to a central server in the Netherlands.

John Miller, security research manager at Trustwave, said that the hack wasn't due to a flaw in any of those company's servers. "It was the individual users' computers that had the malware installed on their machine," he told ABC News. He adds that the unnamed hackers were most likely motivated by profit. "These passwords were never publicly posted. We can't say for sure, but [the hackers] were probably going to sell them."

Many of the services whose users were affected have already taken action. "They may not necessarily inform users with an email," said Miller. However, he adds that affected users will be asked to reset their password after logging into their account.

Trustwave analyzed the passwords that were compromised in the hack and saw some of the trends usually associated with bad password security. The most common password was 123456. In addition, nearly half of all passwords used a single character type, such as all lowercase letters or all numbers.

"For a better password, we recommend a mix of uppercase, lowercase, numbers, and special characters," said Miller. "We also recommend using longer passwords of 16 or more characters, as well as using different passwords on different websites."

But even the most secure password wouldn't have been safe from the Pony malware. To that end, Miller said to practice good browsing habits. "Keep your anti-virus software up to date and make sure your browsers are updated and patched to the latest version," he said.

And above all, don't click that suspicious looking link in your email. "Pony is sent through spam links," said Miller.