More than 43 million accounts compromised in 2012 Last.fm hack

Shawn Knight

Posts: 15,253   +192
Staff member

Data breach and hacking notification site LeakedSource has uncovered new information regarding the 2012 hack on Last.fm. Although the service issued a mandatory password change years ago, the scope of the hack is frightening to say the least.

According to the site, a total of 43,570,999 Last.fm users had their accounts compromised on March 22, 2012. Each record contained a username, e-mail address and password as well as some other internal data. Worse yet, the passwords were stored using unsalted MD5 hashing which was cracked at an accuracy rate of 96 percent in just two hours.

Unsurprisingly, the cracked password data reveals that many people used the most mundane of passwords. For example, the password, “123456” was used by more than a quarter of a million people while “password” was the password of choice for more than 90,000 members. “lastfm” was also a popular choice, as was “123456789” and “qwerty.” As for e-mail providers, most used Hotmail, Gmail and Yahoo Mail (in that order).

The data also provides an interesting look at the site’s growth over the years. In 2002, for example, Last.fm added 3,455 users – a figure that climbed to 33,234 a year later. It wouldn’t be until 2006 that the site added more than a million users in a single year. Based on the breached data, Last.fm hit its peak in 2009 when it added more than 10.5 million users.

In retrospect, 2012-2013 was a seriously bad time for data breaches. In recent months, breaches from that time period involving Dropbox, VK.com, LinkedIn, Myspace and Tumblr have cropped up and according to LeakedSource, there are countless databases in queue that they haven’t even probed through yet.

Permalink to story.

 
In retrospect, people who use simple passwords for sites that don't really matter all that much, are probably better off.
1. It's easy to remember
2. Do you really care if your account gets compromised?
3. When there's a massive leak like this, the worst that can happen is that they get your last.fm (or whatever forum) account? (alright, I know there's some potential for people to do malicious things through a site potentially, but still)
4. Why the hell even make a strong password when most these sites will just get compromised and have all their passwords posted on the internet.

Whereas other people who use a shared strong password on several or all sites are the most screwed by this sort of thing. I guess the best thing would be to start using a password manager and hope their server doesn't get compromised... or that you forget your master password for it. Or just use stupid passwords for stupid sites.
 
In retrospect, people who use simple passwords for sites that don't really matter all that much, are probably better off.
1. It's easy to remember
2. Do you really care if your account gets compromised?
3. When there's a massive leak like this, the worst that can happen is that they get your last.fm (or whatever forum) account? (alright, I know there's some potential for people to do malicious things through a site potentially, but still)
4. Why the hell even make a strong password when most these sites will just get compromised and have all their passwords posted on the internet.

Whereas other people who use a shared strong password on several or all sites are the most screwed by this sort of thing. I guess the best thing would be to start using a password manager and hope their server doesn't get compromised... or that you forget your master password for it. Or just use stupid passwords for stupid sites.

You got a few points there. For forums, I use a combination of the same passwords. For things like Amazon, Paypal eBay and so on, I use a site specific password system that is easy for me to remember each and every site. Basically two part passwords where one part is common, but the other part is specific to that site. Seems to be working for me pretty well the last 8 years or so.
 
In retrospect, people who use simple passwords for sites that don't really matter all that much, are probably better off.
1. It's easy to remember
2. Do you really care if your account gets compromised?
3. When there's a massive leak like this, the worst that can happen is that they get your last.fm (or whatever forum) account? (alright, I know there's some potential for people to do malicious things through a site potentially, but still)
4. Why the hell even make a strong password when most these sites will just get compromised and have all their passwords posted on the internet.

Whereas other people who use a shared strong password on several or all sites are the most screwed by this sort of thing. I guess the best thing would be to start using a password manager and hope their server doesn't get compromised... or that you forget your master password for it. Or just use stupid passwords for stupid sites.

You got a few points there. For forums, I use a combination of the same passwords. For things like Amazon, Paypal eBay and so on, I use a site specific password system that is easy for me to remember each and every site. Basically two part passwords where one part is common, but the other part is specific to that site. Seems to be working for me pretty well the last 8 years or so.

Yup definitely makes sense not like you put credit card information or... wait... there are certain places where you can just let it be.

On the south side, if you get a couple of places hacked in a close time they can crack your super code, so not recommended to have things in common and some specific to the site.
 
Yup definitely makes sense not like you put credit card information or... wait... there are certain places where you can just let it be.

On the south side, if you get a couple of places hacked in a close time they can crack your super code, so not recommended to have things in common and some specific to the site.

I don't give out all my secrets on an open forum.
 
Back