Stolen Facebook and Yahoo passwords dumped online Published duration 4 December 2013

image caption The database included details from many of the most popular social networks

More than two million stolen passwords used for sites such as Facebook, Google and Yahoo and other web services have been posted online.

The details had probably been uploaded by a criminal gang, security experts said.

It is suspected the data was taken from computers infected with malicious software that logged key presses.

It is not known how old the details are - but the experts warned that even out-dated information posed a risk.

"We don't know how many of these details still work," said security researcher Graham Cluley. "But we know that 30-40% of people use the same passwords on different websites.

"That's certainly something people shouldn't do."

Criminal botnet

In a blog post outlining its findings, the team said it believed the passwords had been harvested by a large botnet - dubbed Pony - that had scooped up information from thousands of infected computers worldwide.

image caption Data on the site showed how many new details were being scraped from users every day

A botnet is a network of machines controlled by criminals thanks to malicious software being installed on to computers without the owner's knowledge.

Often, criminal gangs will use botnets to steal large amounts of personal data, which can then be sold on to others or held to ransom.

In this instance, it was log-in information for popular social networks that featured most heavily.

The site - written in Russian - claimed to offer 318,121 username and password combinations for Facebook. Other services, including Google, Yahoo, Twitter and LinkedIn, all had entries in the database.

Russian-language sites VKontakte and Odnoklassniki also featured.

Chocolate teapot passwords

Trustwave said it had notified the sites and services hit prior to posting the blog entry.

Facebook highlighted that it was not at fault, and that this security risk was due to infected user machines.

"While details of this case are not yet clear, it appears that people's computers may have been attacked by hackers using malware to scrape information directly from their web browsers," a spokesman said in an email.

"People can help protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings.

"They will be notified when anyone tries to access their account from an unrecognized browser and new logins will require a unique passcode generated on their mobile phone."

The social network said all of the users found in the database had been put through a password reset process.

Analysis of the passwords by Trustwave showed a familiar picture - the most popular password, found in the database over 15,000 times, was "123456".

Such predictable combinations made passwords completely ineffective, said Mr Cluley.