“Criminal botnet” sounds like something from a forgotten sci-fi serial from the 1970s, but turns out they’re real, and they’ll steal your passwords.
A botnet called Pony recently stole 2 million passwords for major online destinations like Facebook, Yahoo, Google, and Twitter, as well as payroll service Automated Data Processing. The security research team at Trustwave’s Spiderlabs discovered the massive data heist this week and outlined how the botnet works its dirty magic on their blog.
The passwords were welched off devices infected with malware that gave something called the Pony Botnet Controller access to information. This version of Pony rounds up passwords with frightening efficiency; even more disturbingly, since it has successfully obtained information from a large payroll company, this criminal hack could have immediate financial repercussions for people impacted. Yikes.
There’s no way to make your information absolutely 100 percent safe, because the collectives behind this sort of attack tend to be pretty smart at inventing new ways to get at our personal information. But there are a few steps you can take to avoid falling prey to this kind of hack.
First, assess the situation.
Find out if you were one of the unlucky victims at HaveIBeenPwned – the site lets you enter as many email accounts as you want and will tell you if you’ve been hacked. It might even give some follow up information about what particular security breach was responsible. If any of your accounts turn up a warning, you’d best go change that password immediately.
Don’t choose an obvious, simple password.
You’d think people would know by now not to use passwords like “123456” but I guess not. This kind of “chocolate teapot” password (meaning: they’re completely useless) was the most commonly stolen. Other commonly stolen passwords: 123456789, 1111111, and “admin.” Just get more creative (your birthday and name aren’t recommended, either). Setting a longer password seems like too simple a solution, but most of the passwords stolen were just that — too simple. 
For Facebook, take advantage of additional security.
Facebook told the BBC that people could safeguard their passwords by activating Login Approvals and Login Notifications in their security settings. Turning the Login Notifications on will alert you anytime someone attempts to sign in from an unknown location, and using Login Approval will generate a unique password that gets sent to your mobile phone — and both security measures could keep your Facebook information out of the hands of botnets.
This isn’t the first time a widespread security breach has happened. This is on a notably large scale, yes, but passwords get stolen all the time. The best thing you can do is come up with a complicated, long, unique password that won’t be easy to guess, and take the time to set your security settings to notify you when unusual activity occurs.
