Skip to main content

Hackers stole 2M Facebook, Twitter, and Google passwords – here’s how to stay safe

123456 remains the worlds most used and worst password
JMik/Shutterstock

“Criminal botnet” sounds like something from a forgotten sci-fi serial from the 1970s, but turns out they’re real, and they’ll steal your passwords.

A botnet called Pony recently stole 2 million passwords for major online destinations like Facebook, Yahoo, Google, and Twitter, as well as payroll service Automated Data Processing. The security research team at Trustwave’s Spiderlabs discovered the massive data heist this week and outlined how the botnet works its dirty magic on their blog

The passwords were welched off devices infected with malware that gave something called the Pony Botnet Controller access to information. This version of Pony rounds up passwords with frightening efficiency; even more disturbingly, since it has successfully obtained information from a large payroll company, this criminal hack could have immediate financial repercussions for people impacted. Yikes. 

There’s no way to make your information absolutely 100 percent safe, because the collectives behind this sort of attack tend to be pretty smart at inventing new ways to get at our personal information. But there are a few steps you can take to avoid falling prey to this kind of hack. 

First, assess the situation. 

Find out if you were one of the unlucky victims at HaveIBeenPwned – the site lets you enter as many email accounts as you want and will tell you if you’ve been hacked. It might even give some follow up information about what particular security breach was responsible. If any of your accounts turn up a warning, you’d best go change that password immediately. 

Don’t choose an obvious, simple password. 

You’d think people would know by now not to use passwords like “123456” but I guess not. This kind of “chocolate teapot” password (meaning: they’re completely useless) was the most commonly stolen. Other commonly stolen passwords: 123456789, 1111111, and “admin.” Just get more creative (your birthday and name aren’t recommended, either). Setting a longer password seems like too simple a solution, but most of the passwords stolen were just that — too simple. Pony Botnet Password Chart

For Facebook, take advantage of additional security. 

Facebook told the BBC that people could safeguard their passwords by activating Login Approvals and Login Notifications in their security settings. Turning the Login Notifications on will alert you anytime someone attempts to sign in from an unknown location, and using Login Approval will generate a unique password that gets sent to your mobile phone — and both security measures could keep your Facebook information out of the hands of botnets. 

This isn’t the first time a widespread security breach has happened. This is on a notably large scale, yes, but passwords get stolen all the time. The best thing you can do is come up with a complicated, long, unique password that won’t be easy to guess, and take the time to set your security settings to notify you when unusual activity occurs. 

Kate Knibbs
Former Digital Trends Contributor
Kate Knibbs is a writer from Chicago. She is very happy that her borderline-unhealthy Internet habits are rewarded with a…
WhatsApp now lets you send self-destructing voice messages
WhatsApp logo on a phone.

If you’re on WhatsApp and regularly make use of the view once feature for photo and video messages, then you might be interested to learn that the feature has now been expanded to voice messages.

WhatsApp’s view once feature does what it says, deleting a message after it’s been viewed a single time. It’s been available for photos and videos since 2021, but now you can also send voice messages that can only be played once before they, too, disappear from the app.

Read more
X rival Threads could be about to get millions of more users
Instagram Threads app.

Threads -- Meta’s rival to X, formerly Twitter -- has just launched in the European Union (EU), a market with nearly half a billion people.

The app launched in the U.S. to much fanfare in July, with Meta hoping to attract X users disillusioned with the turbulence on the platform since Elon Musk acquired it for $44 billion 14 months ago.

Read more
X (formerly Twitter) returns after global outage
A white X on a black background, which could be Twitter's new logo.

X, formerly known as Twitter, went down for about 90 minutes for users worldwide early on Thursday ET.

Anyone opening the social media app across all platforms was met with a blank timeline. On desktop, users saw a message that simply read, "Welcome to X," while on mobile the app showed suggestions for accounts to follow.

Read more