More than two million passwords and other login credentials for the most popular social networking sites have been stolen by cyberthieves and posted online.
The cache was uncovered by security firm Trustwave as part of its research into the Pony Botnet - a type of spyware that infects PCs and logs their users' keystrokes to access information.
Many people use the same password for multiple accounts - including online banking - and the cybercriminals are likely to sell the data on to hackers. The attack appears to be global, with many users of two Russian social networks affected, along with Facebook, Twitter, Yahoo, Linkedin, Google and other sites.
"Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list," write researchers Daniel Chechik and Anat Davidi.
"Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions."
Shockingly, the team found that nearly 16,000 of the accounts had their password set to '123456' - and the next most popular four were '123456789', '1234', 'password' and '12345'.
It's also a good idea to use all the security features available in the application itself - Facebook's Login Notifications and Login Approvals, for example, or Google's two-step verification.
"Such services can warn you if your account is accessed in an unexpected way (such as from a computer you have not used before), and force you to authorise the login via a second device (such as your mobile phone)," Cluley explains.
Most anti-virus packages protect against this malware, so it's likely only to infect those who have let their protection become out of date. To be on the safe side, users should change their password, from a machine they're sure is clean - otherwise the new password could be logged as well.