TORONTO – Over two million stolen user passwords for social media sites including Facebook, LinkedIn and Google have been leaked online, according to a report by security firm Trustwave.
According to a blog post published by the firm on Tuesday, the password information was posted on a Russian website and contained log-in information for Facebook, LinkedIn, Google, Twitter, Yahoo and more.
Trustwave reported that 1,580,000 website login credentials and 320,000 email account credentials has been stolen from users around the world. The security firm noted in a blog post that the information was posted to a website written in Russian.
In an interview with BBC – who first reported the password dump – security researchers from Trustwave said the passwords appear to have been uploaded by a “criminal gang” using malicious software that logs pressed keys from a user’s computer.
In a statement to Global News, a Facebook spokesperson said it has issued a password reset for any users whose passwords may have been exposed.
“Facebook takes people’s information security extremely seriously and we work hard to protect it. While details of this case are not yet clear, it appears that people’s computers may have been attacked by hackers using malware to scrape information directly from their web browsers,” said a Facebook spokesperson.
“As a precaution, we’ve initiated a password reset for people whose passwords were exposed.”
Facebook also encouraged users to protect themselves by using Facebook “Login Approvals” – which send the user a notification when someone tried to access their account from an unrecognized browser – and “Login Notifications” – which allows for two-step authentification via mobile phone – for added security on their accounts.
LinkedIn also cautioned users to use added protection against malicious software and noted that it’s working with Spiderlabs to reset the passwords of those affected by the leak.
‘’LinkedIn proactively seeks out credentials dumped on the Internet by hackers as well as credentials gathered by malware; we then compare the credentials to those of our members and any matches result in immediate invalidation of those passwords,” a LinkedIn spokesperson told Global News.
“We’ve already been working with [Trustwave] Spiderlabs to reset the passwords of the accounts whose Linkedin credentials were on the list.”
A Google spokesperson declined to comment on the incident in particular, but did encourage users with security concerns to read up on Google’s account protection features.
Trustwave also noted in its report that a large number of leaked passwords were weak ones – including passwords like “123456,” “1234,” and “password.”
“In our analysis, passwords that use all four character types and are longer than 8 characters are considered ‘Excellent’, whereas passwords with four or less characters of only one type are considered ‘Terrible’,” read Trustwave’s blog post.
“Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category.”
If users have concerns about the security of their account, the best bet is to change the account password and enable any added security features such as two-step authentication.
© Shaw Media, 2013