Last.fm Password Security Update

Page 1 of 91 2 3 ...9 Next

- Lastfmsupport said...
- Staff
- 7 Jun 2012, 16:10
Last.fm Password Security Update

Hi everyone,

We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.

You can do this here: https://www.last.fm/settings/password

We strongly recommend that your new Last.fm password is different to the password you use on other services. For more advice on choosing a solid password we recommend: http://www.google.co.uk/goodtoknow/online-safety/passwords/

We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this.

The Last.fm Team

http://last.fm/help/support

[quote][b][user]Lastfmsupport[/user][/b] said: Hi everyone, We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately. You can do this here: https://www.last.fm/settings/password We strongly recommend that your new Last.fm password is different to the password you use on other services. For more advice on choosing a solid password we recommend: http://www.google.co.uk/goodtoknow/online-safety/passwords/ We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this. The Last.fm Team[/quote]

Permalink Quote
- Burkey said...
- Subscriber
- 7 Jun 2012, 16:14
Were the passwords hashed? Salted?

[quote][b][user]Burkey[/user][/b] said: Were the passwords hashed? Salted?[/quote]

Permalink Quote
- kramerfan86 said...
- User
- 7 Jun 2012, 16:17
Highly disappointing that last fm was apparently in the amateur hour club with LinkedIn

[quote][b][user]kramerfan86[/user][/b] said: Highly disappointing that last fm was apparently in the amateur hour club with LinkedIn[/quote]

Permalink Quote
- heavymakeup said...
- User
- 7 Jun 2012, 16:17
I wonder if these are the same people that leaked out passwords for linkedin and eHarmony...

[quote][b][user]heavymakeup[/user][/b] said: I wonder if these are the same people that leaked out passwords for linkedin and eHarmony...[/quote]

Permalink Quote
- megadethnatic said...
- User
- 7 Jun 2012, 16:42
Burkey said:
Were the passwords hashed? Salted?

Would be nice to know as then we know how risky it is really to keep the password.

[quote][b][user]megadethnatic[/user][/b] said: [quote][b][user]Burkey[/user][/b] said: Were the passwords hashed? Salted?[/quote] Would be nice to know as then we know how risky it is really to keep the password.[/quote]

Permalink Quote
- NightVermillion said...
- User
- 7 Jun 2012, 16:43
heavymakeup said:
I wonder if these are the same people that leaked out passwords for linkedin and eHarmony...

Yup, I'm asking myself the same thing.
I hope the passwords were at least hashed...

[quote][b][user]NightVermillion[/user][/b] said: [quote][b][user]heavymakeup[/user][/b] said: I wonder if these are the same people that leaked out passwords for linkedin and eHarmony...[/quote] Yup, I'm asking myself the same thing. I hope the passwords were at least hashed...[/quote]

Permalink Quote
- [Deleted user] said...
- User
- 7 Jun 2012, 16:45
Please be sure to use https://www.last.fm/settings/password and
not http://www.last.fm/settings/password to do this,
for enhanced security over the web.

(Check yellow bar at top of page...)

And remember to change the password in the client too, to continue scrobbling.

[quote][b][user][/user][/b] said: Please be sure to use https://www.last.fm/settings/password and not http://www.last.fm/settings/password to do this, for enhanced security over the web. (Check yellow bar at top of page...) And remember to change the password in the client too, to continue scrobbling. [/quote]

Permalink Quote
- Paradoxj said...
- User
- 7 Jun 2012, 16:52
Where can we check the password list?

[quote][b][user]Paradoxj[/user][/b] said: Where can we check the password list?[/quote]

Permalink Quote
- bengt_bangt said...
- Moderator
- 7 Jun 2012, 16:55
CarrieLookahead said:
Please be sure to use https://www.last.fm/settings/password and
not http://www.last.fm/settings/password to do this,
for enhanced security over the web.

(Check yellow bar at top of page...)

And remember to change the password in the client too, to continue scrobbling.

The http link actually redirects to the secure https one :)

FAQ | Site status | Known Issues | Official Support (English) |
May 21st site update | Hidden Stuff
Join the IRC channel #audioscrobbler on irc.last.fm

[quote][b][user]bengt_bangt[/user][/b] said: [quote][b][user]CarrieLookahead[/user][/b] said: Please be sure to use https://www.last.fm/settings/password and not http://www.last.fm/settings/password to do this, for enhanced security over the web. (Check yellow bar at top of page...) And remember to change the password in the client too, to continue scrobbling. [/quote]The http link actually redirects to the secure https one :)[/quote]

Permalink Quote
- Tomek said...
- User
- 7 Jun 2012, 17:16
It's a shame it's taken so long for them to issue this advice. I and several others reported over three weeks ago that last.fm or one of their affiliates had suffered a breach.

This was obvious as unique email addresses known only to last.fm suddenly started to receive spam.

So if this announcement is linked (which I assume it is) then they also have your email address too.

[quote][b][user]Tomek[/user][/b] said: It's a shame it's taken so long for them to issue this advice. I and several others reported over three weeks ago that last.fm or one of their affiliates had suffered a breach. This was obvious as unique email addresses known only to last.fm suddenly started to receive spam. So if this announcement is linked (which I assume it is) then they also have your email address too.[/quote]

Permalink Quote
- heavymakeup said...
- User
- 7 Jun 2012, 17:26
Tomek said:
It's a shame it's taken so long for them to issue this advice. I and several others reported over three weeks ago that last.fm or one of their affiliates had suffered a breach.

This was obvious as unique email addresses known only to last.fm suddenly started to receive spam.

So if this announcement is linked (which I assume it is) then they also have your email address too.

This is a very scary thought. I'm glad I don't use this account to pay for items via Paypal.

[quote][b][user]heavymakeup[/user][/b] said: [quote][b][user]Tomek[/user][/b] said: It's a shame it's taken so long for them to issue this advice. I and several others reported over three weeks ago that last.fm or one of their affiliates had suffered a breach. This was obvious as unique email addresses known only to last.fm suddenly started to receive spam. So if this announcement is linked (which I assume it is) then they also have your email address too.[/quote] This is a very scary thought. I'm glad I don't use this account to pay for items via Paypal. [/quote]

Permalink Quote
- Schander said...
- User
- 7 Jun 2012, 17:42
I don't feel like changing my password, before knowing if mine was actually among the ones that were "made public".

[quote][b][user]Schander[/user][/b] said: I don't feel like changing my password, before knowing if mine was actually among the ones that were "made public".[/quote]

Permalink Quote
- yelow said...
- User
- 7 Jun 2012, 17:47
Paradoxj said:
Where can we check the password list?

lol are you like serious?

[quote][b][user]yelow[/user][/b] said: [quote][b][user]Paradoxj[/user][/b] said: Where can we check the password list?[/quote] lol are you like serious? [/quote]

Permalink Quote
- [Deleted user] said...
- User
- 7 Jun 2012, 17:50
I don't feel like changing my password

You shouldn't reveal this on a public forum... you don't know who's reading it...

[quote][b][user][/user][/b] said: [quote]I don't feel like changing my password[/quote] You shouldn't reveal this on a public forum... you don't know who's reading it...[/quote]

Permalink Quote
- PrincessLexi said...
- User
- 7 Jun 2012, 17:53
Oh dear!

[quote][b][user]PrincessLexi[/user][/b] said: Oh dear![/quote]

Permalink Quote
- MusicMagic77 said...
- Subscriber
- 7 Jun 2012, 17:57
Last.fm Password Security Update

Let go to PWNEDLIST to check out your email addresses and passwords safety.

https://www.pwnedlist.com/

[quote][b][user]MusicMagic77[/user][/b] said: Let go to PWNEDLIST to check out your email addresses and passwords safety. https://www.pwnedlist.com/[/quote]

Permalink Quote
- [Deleted user] said...
- User
- 7 Jun 2012, 17:57
Ideally passwords should be at least ten alphanumeric characters long, and include uppercase, lowercase, numeric, and punctuation symbols
to maximize entropy (randomness). It's best not to use the same password on more than one account, and certainly not on more than one website.

[quote][b][user][/user][/b] said: Ideally passwords should be at least ten alphanumeric characters long, and include uppercase, lowercase, numeric, and punctuation symbols to maximize entropy (randomness). It's best not to use the same password on more than one account, and certainly not on more than one website.[/quote]

Permalink Quote
- PrincessLexi said...
- User
- 7 Jun 2012, 17:59
^ thank you for your advice!

[quote][b][user]PrincessLexi[/user][/b] said: ^ thank you for your advice![/quote]

Permalink Quote
- MusicMagic77 said...
- Subscriber
- 7 Jun 2012, 18:03
Last.fm Password Security Update

Ideally passwords should be generate easily at Free Password Generator Online page:

http://freepasswordgenerator.com/

[quote][b][user]MusicMagic77[/user][/b] said: Ideally passwords should be generate easily at Free Password Generator Online page: http://freepasswordgenerator.com/[/quote]

Permalink Quote
- [Deleted user] said...
- User
- 7 Jun 2012, 18:07
Re: Last.fm Password Security Update

MusicMagic77 said:
Let go to PWNEDLIST to check out your email addresses and passwords safety.

https://www.pwnedlist.com/

Well that's one way to get your email address put on spam lists anyway. Insert it into random forms on random websites with questionable domain names because some random stranger on the internet told you to do so.

No offence, but it's just a very bad idea.

[quote][b][user][/user][/b] said: [quote][b][user]MusicMagic77[/user][/b] said: Let go to PWNEDLIST to check out your email addresses and passwords safety. https://www.pwnedlist.com/[/quote] Well that's one way to get your email address put on spam lists anyway. Insert it into random forms on random websites with questionable domain names because some random stranger on the internet told you to do so. No offence, but it's just a very bad idea.[/quote]

Permalink Quote
- MusicMagic77 said...
- Subscriber
- 7 Jun 2012, 18:13
Re Re: Last.fm Password Security Update

Disagree!

[quote][b][user]MusicMagic77[/user][/b] said: Disagree![/quote]

Permalink Quote
- k0ff13p07 said...
- User
- 7 Jun 2012, 18:15
Some more (unconfirmed) info:

https://twitter.com/#!/crackmeifyoucan
A bit of stats on last.fm leak: 1) It happened a WHILE ago. 2010/2011 2) 17.3 million raw-md5 3) 16.4 million cracked. 95% cracked.

Over 43,000 of the leaked last.fm hashes contained the string 'lastfm' in some way.

The most common "words" in the lastfm leak? lastfm last love alex abc may mike june jan chris max music blue password qwerty july angel
:(

♪ This world could be fair,
. . . if we all turn into fairies ♫
But it wouldn't be very hip when eveybody became a hipster.

[quote][b][user]k0ff13p07[/user][/b] said: Some more (unconfirmed) info: https://twitter.com/#!/crackmeifyoucan A bit of stats on last.fm leak: 1) It happened a WHILE ago. 2010/2011 2) 17.3 million raw-md5 3) 16.4 million cracked. 95% cracked. Over 43,000 of the leaked last.fm hashes contained the string 'lastfm' in some way. The most common "words" in the lastfm leak? lastfm last love alex abc may mike june jan chris max music blue password qwerty july angel :([/quote]

Permalink Quote
- temujin1234 said...
- User
- 7 Jun 2012, 18:18
For anyone like me who uses the last.fm client AND a seperate music player with its own scrobbler, remember to update your pw in both.

[quote][b][user]temujin1234[/user][/b] said: For anyone like me who uses the last.fm client AND a seperate music player with its own scrobbler, remember to update your pw in both.[/quote]

Permalink Quote
- k0ff13p07 said...
- User
- 7 Jun 2012, 18:24
As i was flabbergasted by the dumb common words a link to check your passwords crackabillity.
(never use your real pass, but i think this site is safe, + the source available on github):

You need high numbers like this:
entropy: 50+ or more
crack time (display): centuries

♪ This world could be fair,
. . . if we all turn into fairies ♫
But it wouldn't be very hip when eveybody became a hipster.

[quote][b][user]k0ff13p07[/user][/b] said: As i was flabbergasted by the dumb common words a link to [url=http://dl.dropbox.com/u/209/zxcvbn/test/index.html]check your passwords[/url] crackabillity. (never use your real pass, but i think this site is safe, + the source available on github): You need high numbers like this: [b]entropy: [/b]50+ or more [b]crack time (display): [/b]centuries [/quote]

Permalink Quote
- JustAKayee said...
- User
- 7 Jun 2012, 18:28
Yikes...

Last Listened To...

[quote][b][user]JustAKayee[/user][/b] said: Yikes...[/quote]

Permalink Quote