2 Million Gmail, Facebook and Twitter Accounts Reportedly Compromised In Pony Botnet Hack

Here's a bit of news that's far from deserving of a "Giddyup!": Thanks to the work of a botnet called "Pony", hackers have gained access to credentials for over 2 million individual accounts. These accounts span the entire gamut: Facebook, Twitter, Google (Gmail), and even a payroll service provider - perhaps the most dangerous of them all.

Pony works as a keylogger, capturing login details as users type them in. In this particular instance, the transactions end up going through a central server in the Netherlands, one that security analysis firm Trustwave has been tracking. After discovering all of the accounts that Pony had been exploiting, the firm notified the biggest companies in question, and prepared some in-depth analysis of just what it was that the botnet gathered, and from where.

Of the user credentials stolen, 1.58 million were website logins, while 320,000 were for email. Further, 41,000 FTP, 3,000 remote desktop, and 3,000 secure shell credentials were also taken.

The leader of the pack here was Facebook, with a staggering 318,000 accounts compromised; Yahoo!, by contrast, placed second, with 59,000. Clearly, these 2 million accounts encompass a wide variety of websites.

When analyzing the geo-location stats, it was discovered that the vast majority of credentials were routed through the Netherlands - something that was expected, given Trustwave's focus on a particular server there. Other countries might as well not even rank.

Whenever credentials get leaked en masse from a breach like this, passwords are often something that are looked at simply because they're sure to trigger  a head-scratching. This case is no exception. About 16,000 people used the password "123456", and 2,200 used "password". Further, the number of people who used multiple character-types in their passwords is, as expected, far too low.

The thing to note about this data-gathering effort is that this is just one operator. Pony's source code has been floating about, which means there are sure to be other operators around the globe taking advantage of it as well - a scary thought.


Via:  Spiderlabs
blog comments powered by Disqus