Hackers using malicious software have scooped up the user names and passwords for about 2 million accounts on some of the most popular sites on the Web, including Facebook and Google, security researchers say.

According to researchers from the Chicago-based firm Trustwave, hackers used a “botnet” known as Pony to pull off the massive theft. After being downloaded through a Web site or e-mail, the software monitors users’ browsers, collecting their log-in credentials.

The massive malware attack has been going on for at least a year, said John Miller, Trustwave’s security research manager.

Pony is a common malware tool, often sold and rebundled in hacking communities. It collects tens of thousands — sometimes hundreds of thousands — of passwords from Web sites, e-mail providers and other accounts each day, Miller said. The malware is probably collecting far more information than Trustwave discovered, he said.

The attack is smaller than some recent Internet data thefts, such as the 150 million user names and passwords taken from Adobe in November.

But the nature of the attack means that there is probably little the affected companies can do to stop it because it targets Web users rather than company security systems, Miller said.

The attack has already snagged user credentials from Web sites such as Facebook, Google, Yahoo, Twitter and LinkedIn, according to Trustwave. But it also grabbed information from companies such as the payroll-services provider ADP. One of the world’s largest payroll companies, ADP administers the benefits and payroll systems for more than 620,000 companies.

Miller said that the kind of work ADP does makes it an attractive target for hackers.

“They’re a little different than Facebook,” he said. “You can use a Facebook account to spam people with, but ADP has banking information behind it.”

In a statement Wednesday, ADP said that is aware of the botnet and had determined that none of its internal networks or servers have been compromised. “To our knowledge, none of ADP’s clients has been adversely affected by the compromised credentials,” the company said in a statement.

Still, ADP said, it is requiring a password reset for the 2,400 of its clients who were affected out of an “abundance of caution.”

Twitter, Facebook, LinkedIn and Yahoo said they are working with Trustwave to reset the passwords on affected user accounts on their networks. None commented on whether users’ accounts have been penetrated.

Google declined to comment on the malware attack.

Miller said that, ultimately, the onus falls on companies and individuals to run regular antivirus scans on their computers. Companies can install software that prevents employees from downloading malware such as Pony, and individuals can do the same for their home computers. Those targeted by the attack should also change the login information for any account that shares a username or password with the affected account.

Follow The Post’s new tech blog, The Switch, where technology and policy connect.