43 million Last.fm account details leaked after 2012 hack
It seems that serious data breaches are all but an everyday occurrence at the moment. At the same time, there have also been instances of historical hacks suddenly coming to light such as the 2012 breach of Dropbox.
But Dropbox was not the only company to suffer an attack in 2012 -- so did music site Last.fm. Now, four years after the hack, details of 43 million accounts have been leaked.
While Last.fm acknowledged the hack back in 2012, few would have expected the fallout to be felt so long after the event. At the time the company warned users to change their passwords but it is likely that a reasonable percentage of the 43 million users affected failed to do so.
The huge data dump was leaked to LeakedSource. The site explains:
Music service Last.fm was hacked on March 22nd, 2012 for a total of 43,570,999 users. This data set was provided to us by firstname.lastname@example.org and Last.fm already knows about the breach but the data is just becoming public now like all the others.
Each record contains a username, email address, password, join date, and some other internal data. We verified the legitimacy of this data set with Softpedia reporter Catalin C who was in the breach himself along with his colleagues.
The group goes on to say that the user data was stored in an insecure way which made it very easy to crack:
Passwords were stored using unsalted MD5 hashing. This algorithm is so insecure it took us two hours to crack and convert over 96% of them to visible passwords, a sizeable increase from prior mega breaches made possible because we have significantly invested in our password cracking capabilities for the benefit of our users.
It didn’t take long for more passwords to be revealed:
Now we currently have 98% of last.fm passwords cracked and converted to plaintext, a 2% increase from yesterday
— LeakedSource (@LeakedSource) September 1, 2016
While clearly a security concern in its own right, the data breach and leak shows that little has been learned by users about the importance of a strong password. Here's the top ten:
So the advice is: if you have not already changed your Last.fm password, do so now. And stop using crap passwords!