Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Two million stolen passwords: How to protect yourself


This week Trustwave security researchers uncovered a criminally controlled web server that contains nearly two million stolen account usernames and passwords for many popular sites, including Facebook, Twitter, LinkedIn, Google and Yahoo. Over the past few days, news outlets worldwide have reported on the discovery, and many people, including our customers, have questions about the malware, its impact and how they can protect themselves.

What we know

Users most likely had their credentials stolen when they errantly clicked on a malicious link or attachment, or unknowingly visited a malicious website that installed data-stealing malware, known as "Pony", onto their computers. This malware then delivered their usernames and passwords to a botnet server. Pony malware has two methods of stealing credentials. First it scans through stored passwords in a user's browsers, email clients and other software. It also monitors web traffic to identify when a user is logging into a website and then attempts to steal the password.

Malware mitigation tips

Below is some general advice about protecting yourself against this and future attacks, which likely will take on similar characteristics.

Don't click on suspicious links or open suspicious attachments: One of the ways the Pony malware spreads is through email. If you weren't expecting an email that contains a link or an attachment, don't click on or open it. Social engineering scams often look like the real thing, so it's a good idea to also have in place an email security solution that analyzes inbound content and filters out links and attachments to malware.

Keep your computer patched and up to date: The Pony malware also can infect users' machines if they simply visit a booby-trapped website. Typically, these "drive-by download" installations take advantage of a browser plug-in that is out of date. Make sure all of your software is updated to the latest version, and consider a web security solution that can evaluate the intent of web pages and help strip out malware.

Run anti-virus: The Pony malware also can hit users that are tricked into installing a bogus product update. Avoid falling for these ruses, and ensure you are running updated anti-virus and intrusion prevention defenses.

Train your staff: Give your employees the know-how to protect your data and network from malware. Security Awareness Training helps reduce the chances that your business will become a victim of data-stealing malware.

Choose a complex and unique password: Having a strong and unique password wouldn't have protected you against this malware, but the server we came across showed that far too many people use easy-to-guess passwords and likely share them across different accounts. The most common password we discovered was "123456." Passwords that contain at least eight characters and are alphanumeric in their structure are less predictable and far more difficult to crack than shorter ones. Users should also use "passphrases" to make them easier to remember, such as "myD0g1sL0ud". Also, make sure you use different passwords for all of your online accounts. 

Help from Trustwave

Trustwave offers a variety of technologies and services that helped automatically protect our customers from this and other forms of malware. They include Trustwave Secure Web Gateway, Trustwave Secure Email Gateway (MailMarshal) and Trustwave Managed Email Security (MailMax).

For more technical information about this recent threat, visit the Trustwave SpiderLabs Blog at: The blog also will feature updates as they become available.

Dan Kaplan is the manager of online content at Trustwave.



Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More