More than 2 million stolen passwords for websites like Facebook, Gmail, Yahoo and other web services were posted online this week, according to the security company Trustwave. The company speculates that this huge security breach was the result of keylogging software uploaded on thousands of computers worldwide.

“We don’t know how many of these details still work,” security researcher Graham Cluley told the BBC. “But we know that 30-40% of people use the same passwords on different websites. That’s certainly something people shouldn’t do.”

Trustwave said that social media profile log-in information was the most commonly found information on the site, with 318,121 username and password combinations for Facebook alone. Facebook was quick to point out that the security breach didn’t occur on their end, and that users could take steps to protect their profiles from this kind of hack.

“People can help protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings,” the site said in a statement. “They will be notified when anyone tries to access their account from an unrecognized browser and new logins will require a unique passcode generated on their mobile phone.”

This massive hacking attack shows the vital need for users to keep unpredictable passwords, and to change their log-in info from site to site; Trustwave said that the most commonly found password on the illegal site was “123456,” occurring over 15,000 times. That kind of predictability makes it simply too easy for hackers to gain access to social media accounts, and it’s important to periodically change your passwords even if they’re hard to guess.