Facebook, Google, LinkedIn, Twitter and Yahoo! were among a group of high-volume websites that had more than 2 million usernames and passwords stolen and posted online Wednesday.
The website is written in Russian and claims to have more than 300,000 usernames with passwords for Facebook alone.
Security experts from Trustwave speculate a criminal group stole the information via computers infected with malware, which records key presses and transmits the data to the infector(s).
Criminals can then effectively control the computers without users’ knowledge, recording their personal data for identity theft via a botnet – a network of infected computers. They can then turn around and sell or ransom such data.
“We don’t know how many of these details still work, but we know that 30 to 40 percent of people use the same passwords on different websites,” security researcher Graham Cluley said in a BBC report. “That’s certainly something people shouldn’t do.”
The age of the passwords isn’t known, but the same experts warn that even outdated information can be used to harm users.