The discovery of some two million stolen online passwords this week prompted fresh warnings from security researchers to strengthen protection from hackers.
US-based security firm Trustwave said it located the stolen credentials on a server in the Netherlands, affecting accounts from Facebook, Google, Yahoo and other major firms.
Trustwave said in a blog post that many of the compromised accounts had weak passwords -- sometimes with fewer than four characters.
Only five per cent were rated "excellent" with eight or more characters. And many were easy to guess such as "1234" or "123456."
"Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the medium category," the blog post said.
The compromised accounts were linked to a "botnet" called Pony, which infected computers with malware and allowed hackers to remotely access the devices.
Victimised computers were found in some 100 countries, the statement said. "The attack is fairly global and ... at least some of the victims are scattered all over the world."
Independent security researcher Graham Cluley said the incident was a large-scale version of a common type of attack.
"Innocent users' computers have become infected with malware, which grabbed login details as they were entered by users," he said in a blog post.
"This data was then transmitted to the cybercriminals -- either so they could access the accounts themselves or (more likely) sell on the details to other online criminals."
Serge Malenkovich of the security firm Kaspersky said cybercriminals can also steal credentials from people who check their emails or Facebook accounts from a public computer.
"This could be quite unpleasant by itself, but the problem will become even worse if you have a habit of re-using the same password for multiple online services," Malenkovich said.
"As password theft happens more often, this habit has become even more dangerous, especially if you consider that your daily routine now includes persistent access to financial transactions -- from classical online banking to fund transfers using Gmail attachments.
That's why a seemingly innocent Twitter password theft might eventually lead to the loss of real money."