Forum » Web Site Support

Last.fm Password Security Update

 
  • I had a fairly good password too, but I've been getting spam as well (several e-mails in the past week or so). Most of it has been about ink cartridges. My e-mail isn't only for Last.fm, but I rarely got spam before, so it's probably connected.

    I don't think the "good password/bad password" debate is productive. Everyone is vulnerable in a situation like this, even if some people's passwords are easier to decode than others. Yeah, it's stupid to use "qwerty" or a common name as your password, but it's still Last.fm's job to keep private information private. That's the issue here, not the strength of people's passwords.

    • DFA1979 said...
    • Subscriber
    • 9 Jun 2012, 21:31
    Lone__Wolf said:
    changed my password and everything seems to be working fine. i just hope they dont leak Lastpass passwords. that would be a pain in the ass.
    LastPass should be perfectly safe. It encrypts locally, your master password isn't stored online anywhere. There's no practical way that those passwords would be leaked on a large scale, and they'd be of no use anyway if you're using it properly.

  • What does 'client' mean?!

    Sorry if I'm being dense, but what does it mean 'make sure to change it on the Last.fm client too'? And how do I change it on my scobbler thingy? Don't even know where to to start!

    Thanks :o)

    • Babs_05 said...
    • Moderator
    • 9 Jun 2012, 23:25
    Scrobbler thing is the client. Tools > Options > Account

    • [Deleted user] said...
    • User
    • 10 Jun 2012, 00:22
    I wouldn't of known about this if I didn't come to the site today, so you guys we're pretty quiet about all of this and it is very disturbing, thxfully already changed it soon as I came to the site.

    • Babs_05 said...
    • Moderator
    • 10 Jun 2012, 00:29
    alerts via social media, direct email and on the Last.fm site itself.
    http://blog.last.fm/2012/06/08/an-update-on-lastfm-password-security

  • Yup, I'm definitely receiving way more spam than usual... thanks a lot, last.fm!

    I sincerely hope (for you) this is as bad as it gets... I'm seriously fed up with this shit! These last few years, the website has gotten less and less user-friendly... and now this.

  • It definitely is not true that the leak only happened in 2010/2011.

    As a few others here I started using unique e-mail addresses a few years back. A few months ago I moved all these unique e-mail addresses to a new domain. On March 17, 2012 I changed my e-mail address associated with my last.fm account. Exactly two weeks later, on March 31, I received a spam mail on that very e-mail address, which was only known to last.fm. So that means that between March 17 and March 31 some hackers also had access to at least some portion of the database.

    I can also definitely rule out a weak password, because back then my password for last.fm consisted of a 32 character, alphanumeric password containing special characters (and of course it was unique to last.fm).

  • I thought I had a pretty solid password. On some sites when you enter a password while making an account there is software that rates your intended password, and I have been using passwords that are as complex as the ones that I made which were rated as "strong", or "very strong". However, it would seem that that level of complexity is not good enough. I made my account last August, and used it in that month, and September, but someone was on it in May on the 18th, and 22nd playing someone that I never heard of before.

    On another note, it would seem that the "year+" time frame for when the leak happened comment from someone is a bit inaccurate, judging from when I made my account it's more like 10 months ago at most.

    I would not have discovered any of this at this time, or maybe ever if not for the email Last FM sent me.

    • Moertel said...
    • Subscriber
    • 10 Jun 2012, 12:39
    Babs_05 sagte:
    alerts via social media, direct email and on the Last.fm site itself.
    http://blog.last.fm/2012/06/08/an-update-on-lastfm-password-security

    I haven't received any email from you guys yet.

    And guess what? This is an email I received from libre.fm on June 8th:
    As you may have seen, both Last.fm and LinkedIn have had a number of
    passwords compromised. As a precaution, ALL Libre.fm user passwords
    have been reset to a random, secure password.


    And that's a service I don't even pay for. If you're not able to inform all your users in time (as your blog post indicates) then find some means to make them aware, even if that means changing their passwords.

    Clients cache the srobbles, so no information lost either.

    You're really not handling this issue properly.

    ... remember me for times I've ruined you
    [not the times I made you smile]
    • [Deleted user] said...
    • User
    • 10 Jun 2012, 13:35
    ^ Have you disabled your last.fm e-mail notifications? I didn't receive any notification for my other account here (which has all e-mail notifications disabled), but received a mail for this account in 8th June at 23:00 (UTC+2:00).

  • Moertel said:
    You're really not handling this issue properly.

    Indeed. It's quite a disaster actually and more than obvious that they don't have anyone who is dedicated to handling security concerns.

    There's thousands of users out there who still have absolutely no clue that their hashed passwords are out in the wild, and most of them (95%) are cracked already. We all know that a majority of people re-use their login credentials all the time, so this is a huge, huge, huge issue for a lot of people.

    Last.fm cares about their user's data? They have yet to prove that, because currently that definitely isn't the case at all.

    I also still didn't receive any e-mail notification. Both "Social notifications" and "Announcements from Last.fm" are checked, so I should receive it.

    I really have to agree with everything FastfastGo wrote.

    • Moertel said...
    • Subscriber
    • 10 Jun 2012, 14:43
    dEXnor said:
    ^ Have you disabled your last.fm e-mail notifications?
    No, not recently. Although one may assume that a message as important as this should go through regardless of the settings. However:

    [X] Social notifications
    [X] Our occasional digest email
    [X] Events and new releases
    [X] Announcements from Last.fm
    [_] Promotions and announcements from partners
    [_] Never contact me by email


    One possible explanation could be: After receiving daily spam messages because of the leak, I changed my last.fm-specific email address. But I did that a month ago. Should they really have sent out their notification to the email addresses which were exposed through the leak and not those currently set in the profile settings? I would find that odd.

    Anyone here who changed his/her email address recently and did receive the password-leak-notification?

    ... remember me for times I've ruined you
    [not the times I made you smile]
    • Luums said...
    • User
    • 10 Jun 2012, 15:06
    I don't know if this is related, but since today I'm having trouble with my Facebook account which I just found out, has the same password I had here...
    Just changed my password here on Last.fm but I can't help think that the problem is connected.
    I've sent a message to the support of Facebook, hopefully they can fix it. But maybe you guys know more? I can still access my Facebook account but can't post anything anymore, nor can I change my password...

    • Nick226 said...
    • User
    • 10 Jun 2012, 15:12
    I can;t scrobble any tracks.

    What's up with that?

  • I haven't gotten an e-mail from Last.fm either, and I have all the options checked except the "Never contact me by e-mail" one. In the past, I've received e-mails Last.fm has sent, and I've never changed my e-mail address.

    I did, however, get more spam today, this time telling me I need to change my e-mail address for "Chase Online." Sigh.

    EDIT: I finally got an e-mail, several hours after I wrote this.

    Edited by lost_souvenirs on 11 Jun 2012, 00:44
  • I have some trouble with my last.fm account today, that's the 4th time i've been logged out. Is is related?

    Is it just a passing phase? / Do your methods change each day
    Forgiving nothing is being kind / You turn your back and you left us behind
  • I never got the email, either.


  • Edited by keshaTop on 10 Jun 2012, 22:32

  • Edited by keshaTop on 10 Jun 2012, 22:32
  • I reset my password and now i can't scrobble any tracks! My last.fm app is logging the scrobbles, but it's not letting me reconnect.
    I'm getting this error message, "Error: Info download failed: No server set to connect to"
    As a possible solution, I tried to put in my new password on the last.fm app, but it's simply not recognising my new password and only accepting the old one.

    What do?

    what the fuck do i need a signature for?
    • l-_-I said...
    • User
    • 11 Jun 2012, 08:01
    I just received the first spam mail on the email account I registered at last.fm. Thank you very much!

  • Bye!

    Right, that's my account scheduled for deletion.

    I absolutely refuse to use sites which have such a ridiculously stupid and cavalier approach to the security of user's data.

    Passwords should never ever EVER be stored as plain text. EVER. It is the absolute height of amateurism and stupidity. Had Last.fm stored the passwords properly as one-way encrypted hashes (as any competent site should do), this leak wouldn't have been as much of a problem.

    As it is, Last.fm obviously don't care about the security of my personal data, so goodbye, I'm off!

    • DFA1979 said...
    • Subscriber
    • 11 Jun 2012, 12:16

    Re: Bye!

    Trippynet said:
    Passwords should never ever EVER be stored as plain text. EVER. It is the absolute height of amateurism and stupidity.
    …and the slightest bit of reading about what happened here would tell you that the passwords weren't stored as plain text, but were in fact… one-way hashes. While there were clearly major flaws in how last.fm stored this information, can't you keep your criticism restricted to things they actually did?

  • >>>Passwords should never ever EVER be stored as plain text. EVER.

    They weren't.

Anonymous users may not post messages. Please log in or create an account to post in the forums.