Hackers have stolen almost two million passwords for large websites including Facebook, Twitter and Gmail, in a massive security breach discovered by authorities in the Netherlands.

According to internet security firm Trustwave, roughly two million credentials to log into some of the world's most popular websites and email services have been stolen in a sophisticated scheme.

According to the company, the keystone appears to be a server that was infecting other computers, turning them into "zombies" to collect more log-in information and relay the information back to the Pony botnet, which has been tied to malicious cyberactivity in the past.

Users in 92 countries and 93,000 different websites are believed to be affected.

"As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc.," Trustwave said on its website.

The company says hackers stole at least:

  • 318,000 Facebook accounts
  • 70,000 Gmail accounts
  • Almost 60,000 Yahoo accounts
  • 21,000 Twitter passwords
  • 8,500 LinkedIn accounts
  • 41,000 FTP account credentials

In total, some 1,580,000 website login credentials were stolen, in addition to 320,000 email account credentials.

Some of the larger affected websites including Facebook, Twitter and Gmail, say they are aware of the breach and have notified and reset the passwords of affected accounts.

Two Russian websites were high on the list, a sign that the country could be tied to the attack. And Trustwave noted the presence of job staffing firm ADP.com in the mix.

ADP issues a closely watched index of U.S. jobs that often moves markets.

"Facebook accounts are a nice catch for cyber-criminals, but payroll services accounts could actually have direct financial repercussions," Trustwave noted.

The payroll firm says it doesn't think its systems were compromised, however.

"At this time, ADP has determined that none of its internal networks and servers has been compromised, and no intrusion has occurred," ADP said in a statement on its website.

Still, the presence on non-traditional accounts on the list is what has cybersecurity experts so troubled by the scope of the breach.

Bank info the goal

"The goal isn’t to gain control over social media, the plan is to get that password and knowing that it's human nature to use the same password everywhere," says Avner Levin, the director of Ryerson's privacy and cybersecurity program.

"Maybe there was a credit card receipt delivered to your email. They can piece it together [and] that’s where they can make the money for their operations."

It's old advice, but Levin says the best thing people can do to avoid such security breaches is to not use the same passwords across multiple accounts, and make them hard to crack.

"Even if we had like two or three, it would really stymie a lot of these attempts," he said.

As is common with security breaches like this, Trustwave says people aren't taking security issues seriously enough. At least 16,000 of the stolen passwords for accounts were "123456" and others such as "111111" and "password" featured prominently in the hack.