Pony Botnet Compromises Millions of Online Accounts


Dec. 17, 2013

Recently, a Pony Botnet control server was found to contain the stolen usernames and passwords of nearly two million online accounts,1 including:

  • 326,129 Facebook accounts
  • 70,532 Google/Gmail accounts
  • 59,549 Yahoo accounts21,708 Twitter accounts
  • 9,321 Odnoklassniki accounts (a Russian social network)
  • 8,490 LinkedIn accounts
  • 7,978 Automatic Data Processing (ADP) accounts
  • 6,867 VK accounts (a Russian social network)


Additionally, credentials for other services were identified as stolen, including approximately:

  • 320,000 email accounts
  • 41,000 File Transfer Protocol (FTP) accounts
  • 3,000 remote desktop accounts
  • 3,000 Secure Shell (SSH) accounts


All of the affected vendors have been notified of the issues. Some, such as Facebook, ADP, Twitter, and LinkedIn, already have taken steps to protect the accounts that were compromised, including resetting affected account passwords.

Unlike other recent breaches where attackers have penetrated websites and dumped user credentials from the site itself, this attack targeted end users. Keylogging software, likely installed unknowingly by end users through a phishing campaign, captured the keystrokes entered by the end users on their computers and sent that information back to the perpetrator’s servers.

End users can take several steps to protect themselves from these kinds of attacks:

  • Change Passwords. Companies should consider requiring employees to change their passwords in case any were reused between employees’ corporate and personal accounts. Additionally, organizations should consider changing passwords for FTP and SSH services that are not tied in with the organization’s identity management solution. Finally, even though some of the vendors have taken steps to reset passwords for affected accounts, end users should consider changing their passwords on all of the sites and services noted earlier to proactively work toward preventing unauthorized access, even if they were not among the affected individuals.

  • Develop Security Awareness. Individual end users should be skeptical of the emails and messages they receive as well as the sites they visit. Just because an email appears to be from Facebook, Twitter, the user’s bank, or other similar sites does not mean it is authentic. Since URLs can be crafted to look legitimate but redirect to nonlegitimate sites, end users should avoid clicking on links in emails and instead consider entering the URL directly in their browser.

    Organizations should consider providing security awareness training to employees and conducting security awareness and social engineering testing by sending phishing emails and making telephone calls in order to see how employees react. The results can be used as a teaching tool to prevent employees from falling victim to actual social engineering and phishing attacks.

  • Use Unique Passwords for Every Site. Consider using a different password for every website. While this can be cumbersome to do, password management tools have made doing so easier by automatically generating and then filling in a random password for each site. The password management tool then requires a lengthy and strong master password (or potentially biometrics) to unlock the individual’s password database. Some examples include:

  • Implement Multifactor Authentication. Some of the affected vendors have implemented multifactor authentication, which requires secondary authentication in addition to a primary password. This is typically performed through a Short Message Service (SMS) message to a smartphone or via a mobile application. More information about multifactor authentication is available on individual sites:


For More Information

Raj Chaudhary

Noah Jaehnert

1 http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html