Have a Google, Facebook, Twitter, LinkedIn, or Yahoo account? If so, you might want to change your password, stat.

According to cybersecurity firm Trustwave, hackers using a nasty piece of work called the Pony Botnet Controller have stolen usernames and passwords for nearly two million accounts. The firm determined that a malicious keylogger installed on users’ computers was to blame.

Researchers at Trustwave said this massive data breach has been going on for a month, but they only discovered and publicized their findings Tuesday, CNN reports. Facebook, LinkedIn and Twitter told CNN that they've notified affected users and reset their passwords; Google declined to comment, and Yahoo didn't provide a response to CNN.