Last.fm latest site to report password leak

Part of same security breach as leaks at LinkedIn, eHarmony

By Kazi Stastna, CBC News

Posted: Jun 8, 2012 12:31 PM ET

Last Updated: Jun 12, 2012 8:39 AM ET

A screen grab of the message Last.fm posted on its Twitter page advising users that their passwords may have been compromised. The leak is part of a security breach that saw several million passwords uploaded to an online forum devoted to password cracking. (Last.fm)

The music streaming website Last.fm is investigating a possible leak of users' passwords that is likely related to similar security breaches at LinkedIn and eHarmony.

In an advisory posted on its site Thursday, the company said it was looking into the leak and advised users to change their passwords.

It warned users that it would never email them a direct link to update their settings or ask for their password.

Earlier in the week, the popular networking site LinkedIn and the dating site eHarmony reported that some of their users' passwords had been leaked.

The passwords are believed to have been uploaded by a Russian hacker to an online forum dedicated to collectively cracking passwords on the site InsidePro.com, which sells password recovery software.

They were uploaded without usernames attached and in an encrypted format that transforms password text into a code known as a hash.

Although this encryption makes the password somewhat more difficult to crack, software exists to extract the original passwords from their hashes, and hackers can also guess the hash equivalents of some less-secure passwords.

"A lot of users have very simple passwords like the word 'password' or 'password123'," said Vikram Thakur, a researcher with the computer security firm Symantec. "Even without knowing the hash which is in the database, it's very easy for them to compute the hashes of some very commonly used passwords and then just ... see which one it matches to."

8 million passwords leaked

The technology news site Ars Technica reported that as many as eight million passwords were uploaded to the Inside Pro forum in two separate lists by a user identified as dwdm, with close to 6.5 million of the passwords coming from the LinkedIn database.

It took a user on the forum less than 2½ hours to crack 1.2 million of the hashed passwords, Ars Technica reported.

Without the associated log-in names, the decrypted passwords have limited use, but that doesn't necessarily mean users are safe, says Thakur.

'Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers.'— Vikram Thakur, Symantec

"We can never be certain that the people who put this database onto the public website have disclosed everything that they acquired," he said. "They may have just kept the usernames to themselves, and they're just waiting for the community to come out and tell them what these hashes correspond to. They know which user that password maps to, and they can take control of it."

Hacking into password databases like the ones that were posted to the forum is not a trivial matter, said Thakur.

"Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers who were able to circumvent all the security measure that had been put in place," he said.

Password databases are generally stored on an internal network, but for sites like LinkedIn, eHarmony and Last.fm they would also have to be accessible from an external portal since users have to log in to those sites.

Stay Connected with CBC News

Big Box Advertisement

Top News Headlines

Obesity now recognized as a disease: The American Medical Association has voted to recognize obesity as a disease, while doctors in Canada say they also treat it as such. more »

Sopranos star James Gandolfini dies in Italy: Actor James Gandolfini, best known for his Emmy-winning portrayal of a conflicted New Jersey mob boss in the acclaimed HBO cable television series The Sopranos, has died while vacationing in Rome, the network said on Wednesday. more »
Canada buys rare War of 1812 collection for $573K: The government of Canada was the winning bidder for a large collection of letters, maps and other papers that once belonged to Sir John Sherbrooke, the lieutenant-governor of Nova Scotia who conquered Maine for the British during the War of 1812. The collection sold for $573,000 at auction in London. more »
Caregiving dads pay steep penalties at work, study says: Fathers who participate in child rearing and housework are likely to be labeled slackers and "failed men" at work, according to a study spearheaded by researchers at the University of Toronto and Long Island University. Are active dads the norm at your workplace? more »
Dozens of children seized from Manitoba Mennonite community: Child welfare authorities have removed all but one child from a small Mennonite community in rural Manitoba. more »

Must Watch

Latest Business Headlines

Dow sells off after Bernanke hints at stimulus end

Dow sells off after Bernanke hints at stimulus end: U.S. stocks sold off sharply on Wednesday after Federal Reserve chairman Ben Bernanke hinted the central bank might soon halt its $85-billion-a-month bond-buying stimulus program. more »

Orascom withdraws bid for control of Wind Mobile: Orascom Telecom Holding has announced it is pulling back its bid to buy out Wind Mobile Canada founder and CEO Anthony Lacavera and acquire full control of the company, in which it already holds a 65 per cent interest. more »
Poloz urges 'stability and patience' in 1st public speech: In his first public remarks since being named governor of the Bank of Canada, Stephen Poloz said the central bank will keep its focus trained squarely on keeping inflation in check. more »
World's wealthy richer than ever: The investable wealth of the world's richest people reached a record high of $46.2 trillion US in 2012, a report by RBC Wealth Management and the consulting firm Capgemini has found. more »
Talking Keystone, Redford says Canada and U.S. share energy values: Alberta Premier Alison Redford says the United States and Canada share political and environmental values and must work together to become energy independent of those who do not. more »

More Headlines »

Lang & O'Leary Exchange

Markets

TSX COMPOSITE

Rotate stock indices Pause stock rotation Show previous stock PLAY

Jun 19, 2013 4:36 PM ET Jun 19, 2013 4:52 PM ET Jun 19, 2013 4:15 PM ET Jun 19, 2013 4:52 PM ET Jun 19, 2013 4:36 PM ET

Index	Last Trade	Change
TSX COMPOSITE	12268.29	-99.17
DOW	15112.19	-206.04
NASDAQ	3443.20	-38.98
SP 500	1628.93	-22.88
TSX-VENTURE	924.25	-5.74

The data on this site is informational only and may be delayed; it is not intended as trading or investment advice and you should not rely on it as such.