43 Million Passwords Hacked in Last.fm Breach

Discussion in 'Article Discussion' started by Melody Bot, Sep 2, 2016.

  1. Melody Bot

    Your friendly little forum bot. Staff Member

    This article has been imported from chorus.fm for discussion. All of the forum rules still apply.

    John Mannes, writing at TechCrunch:


    The number of passwords and the severity of the hack were not uncovered until today. The passwords were stored using unsalted MD5 hashing. Rather than storing passwords in plaintext, nearly every site that stores critical user information utilizes some form of hashing. Hashing is a method for encrypting data, but some methods are far superior to others.

    These are some really bad password practices and if you have an account at Last.fm, you should go change your password. Also, LeakedSource is a good resource to see if your information has shown up in any of these information database dumps over the past few years. You can search by your email address.

     
  2. doubledribble

    Regular

    Thanks @Jason Tate

    I didn't see that this had happened. Changed my password immediately.
     
    Raku and Jason Tate like this.
  3. Tylar

    Les incomp├ętents

    Damn this crazy, kudos for linking to LeakedSource, just found out about a few of my other accounts on other websites that were leaked.
     
    Raku likes this.
  4. sponsor
  5. Fronnyfron

    Wannabe Brooklynite Prestigious

    Yeah good source. My email is safe but my old school email address got two hits from 2012-2013 huh
     
  6. Richard

    Regular Prestigious

    It's crazy, really. Systems have always lagged behind in password security practices even though the technology has always been there.
     
  7. Eric Wilson

    Trusted Supporter

    Will be keeping LeakedSource bookmarked. Really useful.
     
    Paul and Jason Tate like this.
  8. ioev

    I'm a kid I'm a squid

    More important than changing your password on last.fm, is to change your password anywhere else you suspect you may have used the password that was leaked. Your last.fm username and email can be used to find accounts you have on other services, and if you had used the same password, those accounts will be compromised as well.
     
    doubledribble, Tylar and Jason Tate like this.
  9. mynamesgeneric

    Newbie

    MD5 is not to be used for password hashing, unbelievable.
     
  10. Supernova

    Prayers/Triangles Supporter

    Thanks for posting this. Also didn't know about Leaked Source so glad I checked that out. Had 7 things pop up and changed a few of those already. Good thing my Last.fm password was unique to most of my other stuff....
     
  11. thevheissu

    that's not how the force works Prestigious

    My MySpace, Tumblr, Dropbox and Last.FM all on there. Yikes.
     
  12. skogsraet

    Trusted Supporter

    I change email addresses, usernames and passwords so frequently that I shouldn't have been as surprised as I was when nothing showed up for me on LeakedSource.

    Edit: also the most used password was 123456? Seriously? I thought last.fm users would be tech savvy enough to know better.
     
  13. KennyBloggins

    Newbie

    Thanks for that link which lets you check to see if your email address was hacked @Jason Tate -- found out 2 of my emails have been hacked on numerous sites.

    More importantly...last.fm has 43 million users???
     
    Jason Tate likes this.
  14. Raku

    Regular

    Yeah, unfortunately I got hit by this =/
     
  15. Paul

    Newbie

    This.
     
    Jason Tate likes this.
  16. Turkeylegz

    Next Concert: Tiny Moving Parts/Jetty Bones 2/2 Supporter

    I remember that you posted a link to LeakedSource before but I forgot where it was. It is a great resource and I'm glad you are sharing it! Luckily, I was safe in this instance but it never hurts to check!
     
    Jason Tate likes this.
  17. Kiana Sep 2, 2016
    (Last edited: Sep 2, 2016)
    Kiana

    You look like bad news, I gotta have you Prestigious

    Surprisingly my two current emails didn't show up with anything. My old email pinged from 3 years ago with Last.fm and Neopets lmao. That email was abandoned long ago tho and nothing important is associated with it, that I know of at least and back then password requirements were so weak that I don't think I use many of the same ones. Either way I'm locked out of that email so oop
     
  18. Luroda

    Consistently Lurking

    Thank you for the LeakedSource link! Just checked my most active email accounts and got a few hits from way back 2012-13. I have changed since, but I guess I should change again just as a precaution.

    And weird that my email address was in Ashley Madison database. Like, wtf.
     
  19. shawnhyphenray

    Regular

    I didn't really think last.fm was still a thing
     
  20. supernovagirl

    Poetic and noble land mermaid

    great resource, I apparently had my last.fm hacked in 2012 which sounds accurate as the last time I used it hah. Myspace, and tumblr and neopets (ayyy @Kiana lmao) as well. Whoops
     
    Jason Tate and Kiana like this.
  21. irthesteve

    formerly irthesteve Prestigious

    I had an ancient password on here, definitely going to change it, thanks
     
    Dirty Sanchez likes this.
  22. Dirty Sanchez

    Prestigious Prestigious

  23. CyberInferno Sep 4, 2016
    (Last edited: Sep 4, 2016)
    CyberInferno

    Line below my username Supporter

    This should serve as yet another reminder of why you should use randomized passwords and a password manager. Otherwise, someone who compromises one of your accounts can get them all.

    I personally use KeePass (free) and keep the encrypted file in my OneDrive. Got apps for all my devices. My encryption password is 20+ characters long, so brute forcing it would take forever even if someone were to get access to the file itself.

    While LastPass/Dashlane are fine, I like the additional security of requiring people to compromise both my OneDrive and then have to figure out how to hack my KeePass file. If you're going to use a cloud service, make sure to at least set up some kind of two-factor authentication with it.