The credentials for two million compromised accounts for social media sites and other websites have been posted online. They include credentials for Facebook, Yahoo, Google, Twitter, LinkedIn, a payroll service, and many others. The security breaches are believed to have been made possible through malware installed on user computers, not weaknesses in the websites themselves.
The credentials were gleaned by a Pony Botnet Controller fork, according to security firm Trustwave. The malware that made the theft possible is a keystroke reader. That means that even if you're seeing asterisks instead of your actual password when typing it out, the malware can detect which keys you pressed.
As such, choosing a good password isn't as important as just not having the malware on your computer in the first place. Even so, it's probably not a good idea to have simple passwords and reuse them across multiple sites. This goes double if you use the same password for Facebook as you do, say, your bank account login.
Some of the compromised passwords were ridiculously simple. "123456" appeared in 15,000 instances of the stolen credentials. In general, around 30-40% of users of popular sites use the same passwords across sites, according to one digital security researcher.
One breakdown of the stolen credentials is as follows:
~1,580,000 website login credentials stolen
~320,000 email account credentials stolen
~41,000 FTP account credentials stolen
~3,000 Remote Desktop credentials stolen
~3,000 Secure Shell account credentials stolen
Change 'em up, folks.