SpiderLabs / Trustwave

More than 2 million passwords for some of the most popular spots on the Internet — including Facebook, Twitter and Google — are now a matter of public record, according to a fresh report from SpiderLabs, a research arm from security firm Trustwave.

SpiderLabs says it uncovered the bounty of potentially valuable (and often ridiculously simple) log-ins during its latest Internet sweep for the Pony botnet controller, a malware-spreading set of programs which the researchers say they're increasingly encountering online. This means the passwords were not leaked by Facebook and the like, but from thousands of infected computers that collected the data when users logged onto their accounts.

Whether or not the passwords are current or out-dated is unknown, but the attack appears to be "fairly global," SpiderLabs reports. "At least some of the victims are scattered all over the world." What's more, many of the passwords were fairly simple, with that old chestnut "123456" topping the list as the password for 15,820 accounts. ("12346789" came in at number two with 4,875 instances.) This could mean extra bad things the 30 to 40 percent of Internet users who use the same password on multiple accounts — say Facebook ... and their bank account.

"Facebook takes people’s information security extremely seriously and we work hard to protect it," a Facebook spokesperson said in a statement. "While details of this case are not yet clear, it appears that people’s computers may have been attacked by hackers using malware to scrape information directly from their Web browsers."

Facebook's recommendation is to engage the site's two-factor authentication, which requires a passcode from your phone as well as your standard password. Twitter, Yahoo, Google and others also have an option like this, so it helps to look into the settings of all of your major Internet services.

But hey, it's always a good day to change your password, too.

Helen A.S. Popkin is Deputy of Technology & Science editor for NBCNews.com. Join her, won't you on Twitter and /or Facebook.