Forum » Web Site Support

Security breach, account details stolen

 
    • [Deleted user] said...
    • User
    • 5 Jun 2012, 09:21

    Security breach, account details stolen

    Just wanted to say thanks for all the spam mail I've been getting recently.

    I use a custom email when signing up for sites, so I can say with 100% confidence that lastfm has sold out my email to one (or many) casino sites. I'm getting dozens of emails daily from them, so have now had to blacklist my lastfm email address.

    Might be worth posting a warning to anyone else considering signing up. Use a fake email address, or face the consequences!

    (edit - Changed title to better reflect what the issue is)

    Edited by a deleted user on 5 Jun 2012, 11:16
    • [Deleted user] said...
    • User
    • 5 Jun 2012, 09:44
    • [Deleted user] said...
    • User
    • 5 Jun 2012, 10:23
    Thanks.

    From those replies it sounds much worse than I thought. lastfm are admitting they have had a security breach. Has there been an official statement about this yet, or are they hoping no-one notices/complains?

    Is it clear yet what has been compromised? Do users need to worry about their credit card details for example?

    Has anyone reported this to the ICO yet?

    • dankine said...
    • User
    • 5 Jun 2012, 12:35
    FastfastGo said:
    Thanks.

    From those replies it sounds much worse than I thought. lastfm are admitting they have had a security breach. Has there been an official statement about this yet, or are they hoping no-one notices/complains?

    Is it clear yet what has been compromised? Do users need to worry about their credit card details for example?

    Has anyone reported this to the ICO yet?


    We’ve had reports from the community that a few of you are seeing spam from gambling sites. We want to make one thing very clear: We never give or sell your address to third parties without your explicit consent for a specific purpose.

    Does it really sound like that to you?

    "Those who can make you believe absurdities can make you commit atrocities"
    "I don't want to believe, I want to know"

    Auto Corrections Group
    • [Deleted user] said...
    • User
    • 5 Jun 2012, 13:16
    • [Deleted user] said...
    • User
    • 5 Jun 2012, 13:33
    dankine said:
    Does it really sound like that to you?


    Absolutely it does. If they had said they sold my email address, then that would be understandable (annoying as hell, but understandable). Instead they are specifically saying they DO NOT sell out email addresses, and that the only other reasonable explanation is that they have been hacked, and account details exposed.

    The email address I used for lastfm is unique to my lastfm account. I use unique email addresses for each site that I sign up to so that I can tell when and where my email address is sold on, and then blacklist that email address.

    This is not an issue with my ISP. Again, I'm fortunate enough to have a domain account which means my ISP doesn't handle my mail.

    • [Deleted user] said...
    • User
    • 5 Jun 2012, 14:23
    It is possible that a release of email addresses by an alleged website provider or ISP, after their agreeing not to release the email addresses for any other purpose than specified in the EULA, is a contravention of the Data Protection Act.

    • dankine said...
    • User
    • 5 Jun 2012, 14:31
    FastfastGo said:
    dankine said:
    Does it really sound like that to you?


    Absolutely it does. If they had said they sold my email address, then that would be understandable (annoying as hell, but understandable). Instead they are specifically saying they DO NOT sell out email addresses, and that the only other reasonable explanation is that they have been hacked, and account details exposed.

    The email address I used for lastfm is unique to my lastfm account. I use unique email addresses for each site that I sign up to so that I can tell when and where my email address is sold on, and then blacklist that email address.

    This is not an issue with my ISP. Again, I'm fortunate enough to have a domain account which means my ISP doesn't handle my mail.


    that's the only explanation you can come up with?

    "Those who can make you believe absurdities can make you commit atrocities"
    "I don't want to believe, I want to know"

    Auto Corrections Group
    • [Deleted user] said...
    • User
    • 5 Jun 2012, 14:40
    dankine said:
    that's the only explanation you can come up with?

    Yes. As I explained above. Are you trolling me?

    • [Deleted user] said...
    • User
    • 5 Jun 2012, 14:46
    I put up those two links to previous threads so that
    the accusers can take the advice given by last.fm
    staff to report this to site support. I was going to leave
    it at that, but I am going to say this, that I believe the
    staff are truthful in their statement that they do not give
    or sell any information be it email addresses to any third
    party.

    I am also suspicious of this idea of purposely creating
    or registering an email account for the purpose of looking to
    see if you get any spam on it or where it is sold on, I mean
    what the hell is with that. I used one of my existing email
    accounts to register, and I sure have not had any casino
    spamming my email.

    Check your IP and use the spam filter settings on your
    email client, or may be these dodgy email accounts
    don't have them because they're a scam in the first
    place.

    Might be worth posting a warning to anyone
    else considering signing up. Use a fake email
    address
    , or face the consequences!
    That would be in breach of supplying a bonafide
    email for registering on last.fm I think.

    yes I am very suspicious regarding these allegations

    Edited by a deleted user on 5 Jun 2012, 14:56
    • [Deleted user] said...
    • User
    • 5 Jun 2012, 14:55
    I work as a software developer. I'd like to think I'm reasonably smart, especially when it comes to technology.

    There is nothing 'dodgy' about owning a domain, and therefore being able to create my own email addresses. I've been doing this for years and (as this shows) its highly useful for me to be able to prove where my spam mail has originated from. It takes next to no effort from me, and when the address becomes a spam address (such as my lastfm address has now become) I can blacklist it to stop the spam.

    There is literally no-one other than myself and lastfm that knows the address. Not my ISP, not my 'mail provider'. Only lastfm, and either a) whoever they sold/gave it to or b) whoever stole the address from lastfm

    If lastfm are claiming they don't sell/give away email addresses then this would have to be a breach of my account details. Given that I'm not the only one I would seriously concern yourself right now with how many accounts have been breached, and what has been taken

    • [Deleted user] said...
    • User
    • 5 Jun 2012, 14:59
    I wasn't directly accusing Last.fm of breaking their EULA with their users; rather implying that there are a limited number of paths thru which this personal information can leak. Namely, our ISP's, our Email providers, and third-party content on Last.fm's web pages.

    The purpose of having customized email addresses is to eliminate dictionary attacks, one of the most common hacks. It's similar to using different passwords on different accounts or websites.

    Even with scripting disabled, one must add certain URLs to the "trusted sites" zone in order for logging-in and forum-posting to work properly. It is possible that one of the third-party links on Last.fm's web pages is able to leak information somehow to an email provider who happens to be common to both that link and the user who is being spammed. Hint: my email provider starts with "G".

    I can say no more here currently, for reasons of possibly compromising the ongoing audit. However, it might be wise for everyone affected to remove their email from their settings while Last.fm continues the investigation. I guess it may take some time...

    (I guess the mods will lock this thread now, but anyone else having this problem can make another, preferably quoting all the links above. And some tickets to support may bounce -- I've experienced this. I guess they're just understaffed.)

  • I've noticed this too, they're not making this up.

    First Hotmail then soon after Yahoo mails also got hacked in the last couple of months, at the provider end, not with users being phished. Lots of spam emails were sent and received.

    This is different (specifically gambling, and also happening to Gmail addresses with the only connection apparently being Last.fm) but I think hackers are certainly stepping their game up.

    • dankine said...
    • User
    • 5 Jun 2012, 17:09
    FastfastGo said:
    Yes. As I explained above. Are you trolling me?


    you seriously think the only way for someone to get that email addy is by lfm giving it to them? sigh

    "Those who can make you believe absurdities can make you commit atrocities"
    "I don't want to believe, I want to know"

    Auto Corrections Group
    • [Deleted user] said...
    • User
    • 5 Jun 2012, 17:19
    dankine said:
    you seriously think the only way for someone to get that email addy is by lfm giving it to them? sigh

    Thanks for yet another fantastic contribution to the thread. Really nailed it with that comment, well done.

    I'm just going to have to guess you have no idea what you're talking about.

  • Hello, Fastfastgo

    The staff has asked that anyone who has experienced this issue to directly contact official support.

    http://www.last.fm/forum/21713/_/2051486/1#f18146267

    As for why these threads are being locked:
    http://www.last.fm/forum/21713/_/2052592/1#f18157611

  • Do users need to worry about their credit card details for example?

    No, we don't store your credit card details - subscriptions are processed entirely through PayPal.

    You can review the data you submit to us here, as well as our privacy policy:

    http://www.last.fm/settings
    http://www.last.fm/settings/password
    http://www.last.fm/settings/account
    http://www.last.fm/legal/privacy

Anonymous users may not post messages. Please log in or create an account to post in the forums.