Forum » Web Site Support

Last.fm Password Security Update

 
  • Last.fm Password Security Update

    Hi everyone,

    We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.

    You can do this here: https://www.last.fm/settings/password

    We strongly recommend that your new Last.fm password is different to the password you use on other services. For more advice on choosing a solid password we recommend: http://www.google.co.uk/goodtoknow/online-safety/passwords/

    We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this.

    The Last.fm Team

    • Burkey said...
    • Subscriber
    • 7 Jun 2012, 16:14
    Were the passwords hashed? Salted?

  • Highly disappointing that last fm was apparently in the amateur hour club with LinkedIn

  • I wonder if these are the same people that leaked out passwords for linkedin and eHarmony...

  • Burkey said:
    Were the passwords hashed? Salted?


    Would be nice to know as then we know how risky it is really to keep the password.

  • heavymakeup said:
    I wonder if these are the same people that leaked out passwords for linkedin and eHarmony...


    Yup, I'm asking myself the same thing.
    I hope the passwords were at least hashed...

    • [Deleted user] said...
    • User
    • 7 Jun 2012, 16:45
    Please be sure to use https://www.last.fm/settings/password and
    not http://www.last.fm/settings/password to do this,
    for enhanced security over the web.

    (Check yellow bar at top of page...)

    And remember to change the password in the client too, to continue scrobbling.

  • Where can we check the password list?

  • CarrieLookahead said:
    Please be sure to use https://www.last.fm/settings/password and
    not http://www.last.fm/settings/password to do this,
    for enhanced security over the web.

    (Check yellow bar at top of page...)

    And remember to change the password in the client too, to continue scrobbling.

    The http link actually redirects to the secure https one :)

    • Tomek said...
    • User
    • 7 Jun 2012, 17:16
    It's a shame it's taken so long for them to issue this advice. I and several others reported over three weeks ago that last.fm or one of their affiliates had suffered a breach.

    This was obvious as unique email addresses known only to last.fm suddenly started to receive spam.

    So if this announcement is linked (which I assume it is) then they also have your email address too.

  • Tomek said:
    It's a shame it's taken so long for them to issue this advice. I and several others reported over three weeks ago that last.fm or one of their affiliates had suffered a breach.

    This was obvious as unique email addresses known only to last.fm suddenly started to receive spam.

    So if this announcement is linked (which I assume it is) then they also have your email address too.


    This is a very scary thought. I'm glad I don't use this account to pay for items via Paypal.

  • I don't feel like changing my password, before knowing if mine was actually among the ones that were "made public".

    • yelow said...
    • User
    • 7 Jun 2012, 17:47
    Paradoxj said:
    Where can we check the password list?


    lol are you like serious?

    • [Deleted user] said...
    • User
    • 7 Jun 2012, 17:50
    I don't feel like changing my password

    You shouldn't reveal this on a public forum... you don't know who's reading it...

  • Oh dear!

  • Last.fm Password Security Update

    Let go to PWNEDLIST to check out your email addresses and passwords safety.

    https://www.pwnedlist.com/

    • [Deleted user] said...
    • User
    • 7 Jun 2012, 17:57
    Ideally passwords should be at least ten alphanumeric characters long, and include uppercase, lowercase, numeric, and punctuation symbols
    to maximize entropy (randomness). It's best not to use the same password on more than one account, and certainly not on more than one website.

  • ^ thank you for your advice!

  • Last.fm Password Security Update

    Ideally passwords should be generate easily at Free Password Generator Online page:

    http://freepasswordgenerator.com/

    • [Deleted user] said...
    • User
    • 7 Jun 2012, 18:07

    Re: Last.fm Password Security Update

    MusicMagic77 said:
    Let go to PWNEDLIST to check out your email addresses and passwords safety.

    [Pending moderation]


    Well that's one way to get your email address put on spam lists anyway. Insert it into random forms on random websites with questionable domain names because some random stranger on the internet told you to do so.

    No offence, but it's just a very bad idea.

  • Re Re: Last.fm Password Security Update

    Disagree!

  • Some more (unconfirmed) info:

    https://twitter.com/#!/crackmeifyoucan
    A bit of stats on last.fm leak: 1) It happened a WHILE ago. 2010/2011 2) 17.3 million raw-md5 3) 16.4 million cracked. 95% cracked.

    Over 43,000 of the leaked last.fm hashes contained the string 'lastfm' in some way.

    The most common "words" in the lastfm leak? lastfm last love alex abc may mike june jan chris max music blue password qwerty july angel
    :(

    ♪ This world could be fair,
    . . . if we all turn into fairies ♫

    But it wouldn't be very hip when eveybody became a hipster.
  • For anyone like me who uses the last.fm client AND a seperate music player with its own scrobbler, remember to update your pw in both.


  • As i was flabbergasted by the dumb common words a link to check your passwords crackabillity.
    (never use your real pass, but i think this site is safe, + the source available on github):

    You need high numbers like this:
    entropy: 50+ or more
    crack time (display): centuries

    ♪ This world could be fair,
    . . . if we all turn into fairies ♫

    But it wouldn't be very hip when eveybody became a hipster.
  • Yikes...

Anonymous users may not post messages. Please log in or create an account to post in the forums.