Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

43 Million Last.fm Accounts Stolen in 2012 Breach

The account details of well over 43 million Last.fm users were stolen when the online music service was hacked back in 2012.

The account details of well over 43 million Last.fm users were stolen when the online music service was hacked back in 2012.

In June 2012, Last.fm advised all users to change their passwords after hackers posted Last.fm password hashes to a password cracking forum. The company also made some improvements to how passwords were stored after it admitted that it had been using the MD5 algorithm with no salt.

No one knew exactly how many accounts had been stolen. Now, breach notification service LeakedSource claims to have obtained the data and counted 43,570,999 accounts. The leaked data includes usernames, email addresses, passwords, dates of registration and some internal data.

While the incident was first disclosed by the company in June 2012, some reported at the time that the breach actually took place several months earlier. LeakedSource has now confirmed that the website was hacked on March 22, 2012.

LeakedSource managed to crack 96 percent of the unsalted MD5 hashes within two hours. An analysis of the passwords has shown that many of them are not only easy to crack, but also very easy to guess (e.g. 123456, password, lastfm and 123456789).

Dropbox was also hacked in 2012 and experts revealed this week that attackers had compromised more than 68 million accounts. However, unlike Last.fm, Dropbox used salted SHA1 and bcrypt to protect user passwords.

SecurityWeek has reached out to Last.fm for comment and will update this article if the company responds.

LeakedSource says it has already added 2 billion leaked records to its databases and it’s currently working on processing other mega breaches.

“We have so many databases waiting to be added that if we were to add one per day it would still take multiple years to finish them all,” the company said.

The list of old mega breaches that came to light this year affected companies such as Mail.Ru (25 million), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), and VK (170 million). The leaked credentials have also been used in password reuse attacks targeting Netflix, Facebook, GitHub, Twitter and others.

Related: Russian Hackers Attack Two U.S. Voter Databases: Reports

Related: User Data Possibly Stolen in Opera Sync Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...