CIO East Africa (Nairobi)

Africa: Two Million Stolen Login Credentials Discovered for Facebook, Google, Linkedin, Twitter, Other Sites

Almost 2 million stolen website and email login credentials were found on a botnet command-and-control server, with most of the compromised accounts belonging to Facebook, Google, Yahoo, Twitter, LinkedIn and other popular services.

Security vendor Trustwave discovered the C&C server, which was located in the Netherlands. Creators of the botnet, comprised of more than 93,000 compromised personal computers, used malware and management software known as Pony.

The credentials were not stolen directly from the sites, but from the compromised personal computers, John Miller, security research manager at Trustwave, said Wednesday. The PCs were infected with the Pony malware, which had been installed when the computer users clicked on a malicious link sent via spam.

"Even though they're accounts for online services such as Facebook, LinkedIn, Twitter and Google, it's not a result of any weakness on those companies' networks," Miller said.

The security vendor discovered almost 1.6 million website login credentials and roughly 300,000 email credentials. While many of the stolen usernames and passwords were used for the most popular U.S. sites, Trustwave also found those for two social networks aimed at Russian speakers, and

The discovery was an indication that a significant number of victims were Russian speakers. Trustwave estimates the botnet operators had compromised systems in about 100 countries.

Along with the email and website credentials, Trustwave also found almost 50,000 usernames and passwords for other services, including the remote desktop application in Windows used to login to other computers.

In addition, there were credentials to FTP servers used to upload and download files and to secure shell accounts, which are remote command-line logins used by administrators to manage servers.

Among the top domains used by the compromised accounts was that of the payroll service provider ADP. Having credentials for the site could be lucrative, because the attackers could have access to bank account information and have the ability to cut checks or change payment recipients, Miller said.

Trustwave notified the affected sites and turned over the credentials for the compromised accounts. In addition, the vendor notified the Netherlands Computer Emergency Response Team (CERT) about the C&C server.

Pony malware and controller software used in managing networks is found in botnets belonging to many groups of cybercriminals. Trustwave could not determine the operators of the recently discovered botnet.

Many of the stolen passwords were found to be extremely weak. The top 10 included a series of consecutive numbers between one and eight, as well as "password" and "admin."

For companies, the discovery is a warning to constantly remind employees not to click on links in suspicious emails, to choose strong passwords, preferably a combination of letters, numbers and characters; and to avoid using the same password across online services.

Ads by Google

Copyright © 2013 CIO East Africa. All rights reserved. Distributed by AllAfrica Global Media ( To contact the copyright holder directly for corrections — or for permission to republish or make other authorized use of this material, click here.

AllAfrica publishes around 2,000 reports a day from more than 130 news organizations and over 200 other institutions and individuals, representing a diversity of positions on every topic. We publish news and views ranging from vigorous opponents of governments to government publications and spokespersons. Publishers named above each report are responsible for their own content, which AllAfrica does not have the legal right to edit or correct.

Articles and commentaries that identify as the publisher are produced or commissioned by AllAfrica. To address comments or complaints, please Contact us.