Credentials stolen by Pony botnet show password reuse among 15% of victims
Study: 2014 Trustwave Global Security Report
Date: May 2014
"Between June 2013 and January 2014, Trustwave researchers identified several Pony botnet controllers designed to steal passwords along with other personal and financial information. By examining the cache of stolen credentials, we present a rarely seen view into the password habits of real-world users."
"To study the password data for additional trends, we normalized the web-based credentials and stripped the account names from email addresses. This resulted in a list of nearly 1.5 million unique account names. Nearly 25 percent of the usernames had passwords stored for multiple sites. We compared these to see how frequently passwords are reused. The data shows that 15 percent of unique account names used identical passwords across more than one service."