Message:Coronavirus (COVID-19)

Blog

And the worst passwords from the Last.fm hack are…

September 5th, 2016 by Mark Daly in Industry News No Comments »
And the worst passwords from the Last.fm hack are… ilicomm Technology Solutions

Remember Last.fm? It’s a music tracking and analytics service where users sign up to share what their favourite music is so they can discover who they’re frequently listening to, what other artists they might like, or talk to other fans of their favourite groups.

It was a pretty unique service when it first came out in the early 2000s, and it hit its peak popularity around 2009/2010. That popularity may have made it a target of a hack in 2012, the details of which we’re only just now learning.

According to LeakedSource, which publicly published the details of the hack this week, the Last.fm hack took place on March 22 2012. In this hack, the data for more than 43 million users was breached, including usernames, passwords and email addresses.

What happened?

Apparently user passwords were stored using unsalted MD5 hashing, which LeakedSource says took two hours to convert into readable plaintext passwords.

While Last.fm’s password encryption left much to be desired, sadly the breached passwords themselves weren’t much better.

The most popular password by far? “123456” – yes, seriously.

In fact, here are the top 10 most popular passwords, according to LeakedSource’s research:

Password Frequency
1 123456 255,319
2 password 92,652
3 lastfm 66,857
4 123456789 63,984
5 qwerty 46,201
6 abc123 36,367
7 abcdefg 34,050
8 12345 33,785
9 1234 30,938
10 music 27,975

Some users might not think a music logging site is important enough to merit a more complex password, but using passwords this insecure isn’t a good idea, especially if you’re likely to reuse them on other sites that are a bit more high-stakes.

What to do?

Even if your password wasn’t in the top ten, if you were ever a Last.fm user it’s a good idea for you to change your password right away. If you’ve re-used your Last.fm password anywhere else, make sure to change that too (and make each password unique for each online account you have).

If you’re not sure if your information was part of this breach, you can check using LeakedSource’s search.

Copyright: Sophos Naked Security

Leave a Reply

You must be logged in to post a comment.

NEED MORE INFORMATION?Contact us to see how we can help your business

Call our Sales Team on:

+44 (0)121 289 3434

or email us at:

hello@ilicomm.com