Two million passwords were stolen from Facebook, Yahoo, LinkedIn, Twitter, and Google users, then posted online. Security firm Trustwave discovered the breach and announced it on Tuesday. It isn’t known how old the information is, but experts warned that even outdated information can pose a risk.
Security researcher Graham Cluley explained to the BBC, “We don’t know how many of these details still work. But we know that 30-40% of people use the same passwords on different websites. That’s certainly something that people shouldn’t do.”
In the blog post by Trustwave ,the com’any explained that the passwords were probably harvested by a large botnet that scooped up information from users all around the world. Hackers often use botnets to infect computers and steal large amounts of data, in this case usernames and passwords, and either sell them to others, hold them for ransom, or post them for the public to see.
Trustwave added that it already notified the compromised sites prior to posting the blog entry. Facebook explained that it wasn’t at fault because this particular security risk was from infected user machines. A spokesman for the social network site explained in an email, “While details of this case are not yet clear, it appears that people’s computers may have been attacked by hackers using malware to scrape information directly from their browsers.”
The social network added that all of the users in the database for stolen passwords were send through a password reset process. It wasn’t clear if the other affected sites were doing the same.