The account details of well over 43 million Last.fm users were stolen when the online music service was hacked back in 2012.
In June 2012, Last.fm advised all users to change their passwords after hackers posted Last.fm password hashes to a password cracking forum. The company also made some improvements to how passwords were stored after it admitted that it had been using the MD5 algorithm with no salt.
No one knew exactly how many accounts had been stolen. Now, breach notification service LeakedSource claims to have obtained the data and counted 43,570,999 accounts. The leaked data includes usernames, email addresses, passwords, dates of registration and some internal data.
While the incident was first disclosed by the company in June 2012, some reported at the time that the breach actually took place several months earlier. LeakedSource has now confirmed that the website was hacked on March 22, 2012.
LeakedSource managed to crack 96 percent of the unsalted MD5 hashes within two hours. An analysis of the passwords has shown that many of them are not only easy to crack, but also very easy to guess (e.g. 123456, password, lastfm and 123456789).
Dropbox was also hacked in 2012 and experts revealed this week that attackers had compromised more than 68 million accounts. However, unlike Last.fm, Dropbox used salted SHA1 and bcrypt to protect user passwords.
SecurityWeek has reached out to Last.fm for comment and will update this article if the company responds.
LeakedSource says it has already added 2 billion leaked records to its databases and it’s currently working on processing other mega breaches.
“We have so many databases waiting to be added that if we were to add one per day it would still take multiple years to finish them all,” the company said.
The list of old mega breaches that came to light this year affected companies such as Mail.Ru (25 million), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), and VK (170 million). The leaked credentials have also been used in password reuse attacks targeting Netflix, Facebook, GitHub, Twitter and others.
Related: Russian Hackers Attack Two U.S. Voter Databases: Reports
Related: User Data Possibly Stolen in Opera Sync Breach

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
