The discovery of about two million stolen online passwords this week prompted fresh warnings from security researchers to strengthen protection from hackers. US-based security firm Trustwave said it located the stolen credentials on a server in the Netherlands, affecting accounts from Facebook, Google, Yahoo and other major firms. Trustwave said many of the compromised accounts had weak passwords - sometimes with fewer than four characters. Only 5 per cent were rated "excellent" with eight or more characters. And many were easy to guess, such as "1234" or "123456". "Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the medium category," the blog post said. The compromised accounts were linked to a "botnet" called Pony, which infected computers with malware and allowed hackers to access the devices. Targeted computers were found in some 100 countries, the statement said. Independent security researcher Graham Cluley said the incident was a large-scale version of a common type of attack. "Innocent users' computers have become infected with malware, which grabbed login details as they were entered by users," he said in a blog post. "This data was then transmitted to the cybercriminals - either so they could access the accounts themselves or (more likely) sell on the details to other online criminals." Serge Malenkovich, of the security firm Kaspersky ,said cybercriminals could also steal credentials from people who check e-mails or Facebook accounts from public computers.