Hackers using malicious software have scooped up the user names and passwords for about 2 million accounts on some of the most popular websites, including Facebook and Google, security researchers say.

According to the researchers from the Chicago-based firm Trustwave, hackers used a botnet known as Pony to pull off the theft. After being downloaded through a website or email, the software monitors a user’s browser, collecting their login credentials.

The malware attack has been going on for at least a year, said John Miller, Trustwave’s security research manager.

Pony is a common malware tool, often sold and rebundled in hacking communities. It collects tens of thousands - sometimes hundreds of thousands - of passwords from websites, email providers and other accounts each day, Miller said.

The malware is likely collecting far more informationthan Trustwave discovered, he said.

The attack is smaller than some recent Internet data thefts, such as the 150 million user names and passwords taken from Adobe in November.

But the nature of the attack means there is probably little the affected companies can do to stop it because it targets Web users rather than company security systems, Miller said.

The attack has already snagged user credentials from popular websites such as Facebook, Google, Yahoo, Twitter and LinkedIn, according to Trustwave. But it also grabbed information from firms such as the payroll services provider ADP.

One of the largest payroll companies in the world, ADP administers the benefits and payroll systems for more than 620,000 companies around the world.

Front Section, Pages 4 on 12/07/2013