Officials in Germany have warned that large networks of hijacked, hacker-controlled PCs – aka botnets – have harvested 16 million email address and password combinations for websites and other online services.
The (German Office of Information Security) BSI said cops and security researchers have been closely following armies of computers that have been infected by malware to spy on users and send spam. The investigators found the machines had gathered a vast collection of email addresses and passwords for mail accounts, social networking websites and all sorts of services: the sensitive credentials were lifted wholesale from infected systems and phishing emails sent from the botnets' drones.
Should a user's address be found in the collection, they'll be told to scan their systems for malware, install anti-malware tools, and change their passwords – particularly where a single password was shared for multiple accounts. Frustratingly, the BSI did not reveal the malware powering the botnets, but has published an otherwise extensive FAQ (in German).
Even without the aid of malware and botnet heists, many users are leaving themselves dangerously vulnerable to account theft from the use of poor password choices. Easily-guessed terms such as "password" and "123456" were found to still be the most popular choices for log-in credentials. ®