"Hackers using malware have wormed their way into about 2 million user accounts on some of the most popular sites on the Web: including Facebook and Google and ADP.
According to the researchers, from the Chicago-based firm Trustwave, hackers used a botnet called Pony to pull off the massive theft. Pony can capture passwords by tapping into users' browers to collect login credentials that they enter on Web sites.
John Miller, Trustwave's security research manager, said they've been aware of the botnet for about a year and that Pony is often sold and rebundled as a tool as part of larger data thefts. The firm estimates that the software collects up to hundreds of thousand of password from Web sites, email providers and other accoutns each day. He also warned that the malware is likely collecting more information than Trustwave discovered of this particular server and that there could be other servers that have collected a similar amount of data though the malware.
Although the 2 million user figure may pale in comparison to other recent Internet data thefts, such as the estimated 150 million username and password Adobe theft back in November, according to Miller the Pony can cast a far wider net. The most worrisome part of this attack is that the malware targets individual users, as opposed to large company security systems, meaning that there's little the Googles and Facebooks of the world can do.
Additionally, ADP issued a statement on Wednesday that they were aware of the attack and ""to our knowledge, none of ADP's clients has been adversely affected by the compromised credential,"" the company said. Still, according to ADP, the company is requiring a password reset for the 2,400 of its clients who were affected by the attack out of an ""abundance of caution.""
Twitter, Facebook, LinkedIn and Yahoo confirmed that they are working with Trustwave to reset the passwords on affected user accounts on their networks. Google declined to comment on the malware attack.
Miller said that, ultimately, the onus falls on corporations and individuals to run regular antivirus scans on their computers Companies can install software that prevents employees from downloading malware such as Pony, and individuals can do the same for their personal and home computers. Those targeted by the attack should also change the login information of any account that shares a username or password with the affected account."
