Hackers using a custom Trojan-type malware stole nearly 26 million login credentials—emails or usernames and associated passwords—from almost a million websites over a two year period, including from such namesakes as Amazon, Facebook, and Twitter, according to cybersecurity provider NordLocker.