Security Experts:

43 Million Last.fm Accounts Stolen in 2012 Breach

The account details of well over 43 million Last.fm users were stolen when the online music service was hacked back in 2012.

In June 2012, Last.fm advised all users to change their passwords after hackers posted Last.fm password hashes to a password cracking forum. The company also made some improvements to how passwords were stored after it admitted that it had been using the MD5 algorithm with no salt.

No one knew exactly how many accounts had been stolen. Now, breach notification service LeakedSource claims to have obtained the data and counted 43,570,999 accounts. The leaked data includes usernames, email addresses, passwords, dates of registration and some internal data.

While the incident was first disclosed by the company in June 2012, some reported at the time that the breach actually took place several months earlier. LeakedSource has now confirmed that the website was hacked on March 22, 2012.

LeakedSource managed to crack 96 percent of the unsalted MD5 hashes within two hours. An analysis of the passwords has shown that many of them are not only easy to crack, but also very easy to guess (e.g. 123456, password, lastfm and 123456789).

Dropbox was also hacked in 2012 and experts revealed this week that attackers had compromised more than 68 million accounts. However, unlike Last.fm, Dropbox used salted SHA1 and bcrypt to protect user passwords.

SecurityWeek has reached out to Last.fm for comment and will update this article if the company responds.

LeakedSource says it has already added 2 billion leaked records to its databases and it’s currently working on processing other mega breaches.

“We have so many databases waiting to be added that if we were to add one per day it would still take multiple years to finish them all,” the company said.

The list of old mega breaches that came to light this year affected companies such as Mail.Ru (25 million), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), and VK (170 million). The leaked credentials have also been used in password reuse attacks targeting Netflix, Facebook, GitHub, Twitter and others.

Related: Russian Hackers Attack Two U.S. Voter Databases: Reports

Related: User Data Possibly Stolen in Opera Sync Breach

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.