Researchers at Trustwave’s Spider Labs have uncovered a server with more than two million stolen login credentials. The stolen logins were for Facebook, Yahoo, Google, and Twitter accounts as well as for a handful of other sites.
According to Spider Labs blog, over 1.5 million of the stolen logins were credentials to website accounts. Another 320,000 credentials unlocked email accounts. FTP account credentials were also stolen, around 41,000 of them. The hackers also took login credentials to remote desktops and secure shell accounts.
The stolen information has been traced back to the malware known as the Pony Botnet Controller. The malware is now on version 1.9 and is known for capturing usernames and passwords on infected computers. The real problem is that Pony can be built right into a a website through a CMS control panel. When the panel hooks up to a SQL database the information is easily harvested.
At first glance it would seem that a vast majority, 97%, of the pilfered accounts come from the Netherlands. However, upon further study of the server, Spider Labs discovered that almost all of the Netherlands entries were from a single IP address. Researchers believe that this was because of a reverse-proxy between the infected computers and the command-and-control server. That means there is no way to get an accurate reading of what area was hit the hardest. However, the overall list includes over 90 countries showing that this was a global epidemic.