Researchers have unearthed a server storing more than two million pilfered login credentials for all kinds of user accounts, including those on Facebook, Yahoo, Google, Twitter, and a handful of other websites.

More than 1.5 million of the user names and passwords are for website accounts, including 318,121 for Facebook, 59,549 for Yahoo, 54,437 for Google, and 21,708 for Twitter, according to a blog post published Tuesday by researchers from security firm Trustwave's Spider Labs. The cache also included credentials for e-mail addresses, FTP accounts, remote desktops, and secure shells.

More than 1.8 million of the passwords, or 97 percent of the total, appeared to come from computers located in the Netherlands, followed by Thailand, Germany, Singapore, and Indonesia. US accounts comprised 0.1 percent, with 1,943 compromised passwords. In all, the data may have come from as many as 102 countries.

"A quick glance at the geo-location statistics above would make one think that this attack was a targeted attack on the Netherlands," Spider Labs researchers Daniel Chechik and Anat (Fox) Davidi wrote. They continued:

Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well. This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down—outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down. While this behavior is interesting in and of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.

The server was running a bot controller application known as Pony. It's unclear exactly how the credentials were originally obtained. One possibility is that they were captured using keyloggers or similar malware installed on compromised machines of end users. It could also be the case that the credentials were pilfered using phishing websites or other types of social engineering attacks.

As is often the case with mass password leaks, the discovery by Spider Labs underscores the poor security hygiene of many users. The usual offenders were there, including "123456" (used for 15,820 accounts), "123456789 (4,875), "1234" (3,135), and "password" (2,212). Overall, Spider Labs rated six percent of the passwords "terrible," 28 percent "bad," 44 percent "medium," 17 percent "good," and just five percent "excellent."

Spider Labs' report comes two weeks after forums software maker vBulletin was hit by hackers who got access to customer password data and other personal information. Three days earlier, MacRumors—itself a user of vBulletin—also suffered a breach that exposed cryptographically hashed passwords for more than 860,000 accounts. There's no evidence those breaches are related to the leaked passwords reported Tuesday.

Listing image courtesy of practicalowl.

Story updated to add last sentence.