Sad Security Song: Last.fm Urges Members to Change Passwords
CREDIT: Last.fm Ltd.
The day after massive password data breaches hit LinkedIn and eHarmony, the online music-streaming site Last.fm also warned its users to change their passwords.
"We are currently investigating the leak of some Last.fm user passwords," Last.fm wrote in a security update today (June 7). "This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we're asking all our users to change their passwords immediately."
Last.fm's advisory comes the day after a hacker posted more than 6.4 million LinkedIn encrypted passwords on a Russian Web forum, and two days after the same hacker posted a different file with 1.5 million encrypted passwords that appeared to come from the online dating site eHarmony.
The Twitter feed @CrackMeIfYouCan, which seemed to have early information regarding the LinkedIn and eHarmony hacks, purported to also have some insider details on the Last.fm hack.
"A bit of stats on last.fm leak: 1) It happened a WHILE ago. 2010/2011" one tweet read. "2) 17.3 million raw-md5 3) 16.4 million cracked. 95% cracked."
In plain English, CrackMeIfYouCan claims that 17.3 million Last.fm passwords, encrypted without random-data "salts," using the easy-to-crack MD5 encryption algorithm, were stolen at least a year ago, and almost all those passwords had been cracked.
Those claims could not be immediately verified.
Both LinkedIn and eHarmony have also asked members to change their passwords, and have forcibly reset passwords that were clearly cracked.
Last.fm did not confirm whether its breach was related to those affecting LinkedIn and eHarmony. In an email to SecurityNewsDaily, Last.fm spokesman Luke Fredberg said, "We aim to keep our users up-to-date as and when we receive any more information and will keep you posted if anything changes."
To mitigate the potential for identity theft that could arise from a compromised password, Last.fm suggests its members create a new, strong password, and one that differs from the other sites they access.
"We're sorry for the inconvenience around changing your password," Last.fm said in the advisory. "Last.fm takes your privacy very seriously. We'll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this."
Whatever the source of the password breach, Last.fm and eHarmony should both be praised for alerting their members as soon as they detected a problem.
LinkedIn drew harsh criticism for initially denying that any hack had occurred. It took hours for the company to admit the breach.