Researchers at cybersecurity firm Trustwave said that the virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.
Last month Trustwave researchers tracked that server to Holland and they found compromised credentials for more than 93,000 websites, including:
Trustwave notified these companies of the breach. So far, there is no evidence that hackers have used the passwords.
John Miller, a security research manager at Trustwave, said that his team had not worked out how the virus got onto so many personal computers. The hackers set up the keylogging software to rout information through a proxy server, so it is impossible to track down which computers are infected.
The hacking campaign started secretly collecting passwords on October 21, and it might be ongoing. It is believed that there are several other proxy servers running the attack which have not been found yet.
The virus running in the background is hidden, Miller said that antivirus software and download the latest patches for Internet browsers, Adobe (ADBE) and Java will detect it and prevent it running.