Some 2 million user credentials for Facebook and other top services have appeared on a Russian-language website, likely thanks to malware installed on users' computers, experts tell the BBC. They believe a crime ring was probably behind the dump, which claimed to include 318,121 Facebook usernames and passwords, along with login details for users of Google, Yahoo, Twitter, LinkedIn, and Russian sites. "We don't know how many of these details still work," says a security researcher.
"But we know that 30% to 40% of people use the same passwords on different websites." Another no-no: Using passwords like "123456," which appeared more than 15,000 times, making it the most common one in the database. The information was probably gathered by a botnet—or collection of computers under criminal control via malware—called Pony. "Computers may have been attacked by hackers using malware to scrape information directly from their web browsers," says a Facebook rep. Every Facebook user affected has had his or her password reset, the site says.