Security firm Trustwave has discovered the trove of login credentials, email credentials and passwords, it announced on Tuesday.
Security experts told BBC that a criminal gang may be behind the security breach. The stolen information can be used to extract people's personal information from the websites, which can then be sold, according to BBC.
“Facebook takes people’s information security extremely seriously and we work hard to protect it," a Facebook spokesperson told The Huffington Post. "While details of this case are not yet clear, it appears that people’s computers may have been attacked by hackers using malware to scrape information directly from their web browsers."
The spokesperson also emphasized that all of the compromised passwords have been put into Facebook's password reset process, and that Facebook users can protect their accounts by activating Login Approvals and Login Notifications in their security settings.
"We immediately reset the passwords of the affected accounts," a spokesperson from Twitter told HuffPost. A Google spokesperson pointed us to a blog post about the ways in which the company combats "account hijackers."
"This particular incident occurred when users' systems were accessed through malware. It’s likely that these systems had out-of-date browsers or operating systems. We have implemented password resets on these accounts to protect our users," a Yahoo spokesperson told HuffPost. "We urge our users to keep their systems and applications updated, regularly run anti-virus software and not install programs from untrusted sources. We also encourage our users to set up second sign-in verification so they're notified when someone attempts to log into their account from another device."
The passwords and credentials were taken from people all over the world, Trustwave finds, and the site where the information was posted is written in Russian.
The stolen passwords are, in general, weak ones. The most popular password that was stolen is "123456," followed by "123456789," "1234" and "password."
This story has been updated to include a statement from Yahoo.