Last.fm latest victim to passwords theft

Last.fm is reporting that it's password have been stolen and as the old saying goes, change your password, make it secure, rinse and repeat if desired. 

An unnamed representative for the site hasn't said how many passwords, or even what percentage of the userbase is affected but has requested that users update their passwords right away:

We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.

Which would indicate they don't plan to reset the passwords themselves as eHarmony reportedly did shortly after discovering their breach; LinkedIn also apologized for the inconvenience.

As with other sites, Last.fm has also advised that the new password is different to the password used on other services and recommended this link to create a newer, stronger, and better password.

It would appear that this is an attack by the same person, or group and we can probably expect more high level breaches of security unless these companies act now to protect customer data.

LinkedIn was the first high profile attack, which saw 6.4M passwords stolen and just a day later several thousand accounts were already being used to send spam emails.

Thanks for the tip Andrew Lyle.

Via: Last.fm announcement

Report a problem with article
Previous Story

E3 2012: E3 Booth Babes - Day 3

Next Story

Best Buy founder abruptly resigns

37 Comments

Commenting is disabled on this article.

got to love how all these sites that get hacked put "we take your privacy very seriously"clearly not seriously enough.

Changed password, deleted account. Found it redundant after Zune came to Xbox Live.

Cheers for the heads up

Geez, that's the third one this week ... first LinkedIn, then eHarmony, now Last.fm ... who's next?!?

DrakeN2k said,

Um what ...


Dude you need to update the firmware on your IPv4 address so that it gets an IPv6 address duhh...

DrakeN2k said,

Um what ...

IPv6 makes passwords 6 times harder to crack because it uses a higher number in addition to the lowercase v.

As if a last.fm account can be used for anything serious anyway
Good that people become more aware to use stronger passwords and stop using the same on multiple sites ^_^

Oh joy, more hacking sprees.

At least this beefs up security at the companies that get affected, but goddamn I wish this would stop.

I swear to god, I'll have murder the day that one of these websites gets hacked and their passwords are stored in plain-text.

bangbang023 said,
Haven't used it in years, so I just deleted my account.
I've used mine recently, but I just deleted mine as well. If they can't keep my password secure, I'd rather just clear my data from their systems.

Heh, it's a good job I used Keepass to randomly generate a secure password. Hopefully it's tough enough that it's not going to be cracked. Going to change it though just to be sure.

Could have told you this a while ago... been getting spam to the email address i used for last.fm

Marcin Kurek said,
God damn it.

I just laughed in my cubicle ... I imagined some other poor schmuck in IT saying the same thing ... I said the same thing this morning for an issue with IE

No man.. the data was stolen and the passwords were being cracked elsewhere. The DATA was exposed, not individual passwords.

Jose_49 said,
Hmmm, I wonder... is this user's fault or has the hash mechanism of these sites began to age?

Assuming these sites are storing passwords in a one-way hash, salted on a per-user basis, then it shouldn't be possible to break so many passwords so quickly (would take quite a long time for each user). With a site-wise salt it becomes more feasible. Unsalted hashes are just a no no - seriously, if these sites are using unsalted hashes or (*cringe*) storing them in plain text then they need some new devs.

Fourjays said,

if these sites are using unsalted hashes

The Linkedin passwords were unsalted.

From article:

The unsalted hashes use SHA-1 encryption, and while it is somewhat secure, it can still be cracked if the user employs a simple dictionary password.

That sucks why is there never any security ? Isn't it a requirement?


crispkreme said,

The Linkedin passwords were unsalted.

From article:

max22 said,
That sucks why is there never any security ? Isn't it a requirement?

Because proper security isn't free.... Companies save money at the expense of their users.

crispkreme said,

The Linkedin passwords were unsalted.

From article:


That's utterly terrible (I didn't read the LinkedIn article so this is news to me). I could understand it from an individual new to programming or doing it on an amateur basis, but for major sites like this.... it is frankly inexcusable. Even a single site-wide hash is more secure than no hash and incredibly easy to implement.

It really is about time that governing bodies started worrying more about ensuring companies store data securely and treat it responsibly, than wasting time on pointless things like cookies and web history.

max22 said,
That sucks why is there never any security ? Isn't it a requirement?

For sites to use SHA1 is pretty amazing, faceparty stores your password in plain-text and will even email it out if you've forgotton it, via normal (non-SSL) SMTP.
'Security, **** yeah!'