Another day, another mega breach. This time, it's social music website Last.fm, which was hacked in 2012 and over 43 million user accounts were compromised. The details of the breach were made public this week by Leaked Source, a website that tracks leaked databases. This comes off the back of revelations that a Dropbox hack that occurred a few years' back let hackers get their hands on over 68 million user credentials. What makes this Last.fm breach worse is that the website used an insecure method to store its user passwords. Here are the details.
Last.fm was already aware that it had been hacked back in 2012 but the extent of the breach was unknown until Leaked Source got its hands on data that contained the username, email, address, password and other internal information of 43,570,999 Last.fm accounts.
What makes this Last.fm hack particularly bad is the way the passwords were stored. According to Leaked Source:
"Passwords were stored using unsalted MD5 hashing. This algorithm is so insecure it took us two hours to crack and convert over 96% of them to visible passwords, a sizeable increase from prior mega breaches made possible because we have significantly invested in our password cracking capabilities for the benefit of our users."
Here are the five most common passwords that were used:
If you have a Last.fm account and want to find out if it has been compromised, you can do so over at Leaked Source's search engine.
[Via Leaked Source]