Last.fm latest site to report password leak

Part of same security breach as leaks at LinkedIn, eHarmony

By Kazi Stastna, CBC News

Posted: Jun 8, 2012 12:31 PM ET

Last Updated: Jun 12, 2012 8:39 AM ET

A screen grab of the message Last.fm posted on its Twitter page advising users that their passwords may have been compromised. The leak is part of a security breach that saw several million passwords uploaded to an online forum devoted to password cracking. (Last.fm)

The music streaming website Last.fm is investigating a possible leak of users' passwords that is likely related to similar security breaches at LinkedIn and eHarmony.

In an advisory posted on its site Thursday, the company said it was looking into the leak and advised users to change their passwords.

It warned users that it would never email them a direct link to update their settings or ask for their password.

Earlier in the week, the popular networking site LinkedIn and the dating site eHarmony reported that some of their users' passwords had been leaked.

The passwords are believed to have been uploaded by a Russian hacker to an online forum dedicated to collectively cracking passwords on the site InsidePro.com, which sells password recovery software.

They were uploaded without usernames attached and in an encrypted format that transforms password text into a code known as a hash.

Although this encryption makes the password somewhat more difficult to crack, software exists to extract the original passwords from their hashes, and hackers can also guess the hash equivalents of some less-secure passwords.

"A lot of users have very simple passwords like the word 'password' or 'password123'," said Vikram Thakur, a researcher with the computer security firm Symantec. "Even without knowing the hash which is in the database, it's very easy for them to compute the hashes of some very commonly used passwords and then just ... see which one it matches to."

8 million passwords leaked

The technology news site Ars Technica reported that as many as eight million passwords were uploaded to the Inside Pro forum in two separate lists by a user identified as dwdm, with close to 6.5 million of the passwords coming from the LinkedIn database.

It took a user on the forum less than 2½ hours to crack 1.2 million of the hashed passwords, Ars Technica reported.

Without the associated log-in names, the decrypted passwords have limited use, but that doesn't necessarily mean users are safe, says Thakur.

'Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers.'— Vikram Thakur, Symantec

"We can never be certain that the people who put this database onto the public website have disclosed everything that they acquired," he said. "They may have just kept the usernames to themselves, and they're just waiting for the community to come out and tell them what these hashes correspond to. They know which user that password maps to, and they can take control of it."

Hacking into password databases like the ones that were posted to the forum is not a trivial matter, said Thakur.

"Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers who were able to circumvent all the security measure that had been put in place," he said.

Password databases are generally stored on an internal network, but for sites like LinkedIn, eHarmony and Last.fm they would also have to be accessible from an external portal since users have to log in to those sites.

Stay Connected with CBC News

Big Box Advertisement

Top News Headlines

Afghan legislators block law protecting women

Afghan legislators block law protecting women: An Afghan legislator says conservative lawmakers have blocked approval of a law that aims to protect women's freedoms, saying parts of it violate Islamic principles. more »

Senator Pamela Wallin leaves Conservative caucus: Senator Pamela Wallin says she is recusing herself from the Conservative caucus while her travel expense claims are under scrutiny. Wallin's departure comes one day after Senator Mike Duffy left the Tory caucus amid controversy over his expense claims. more »
Toronto mayor cancels weekly radio show: Toronto Mayor Rob Ford will not be hosting his weekly radio show this weekend after explosive allegations that he was recorded on video appearing to smoke crack cocaine. more »
WHO concerned coronavirus spreading person to person: The World Health Organization has issued a blunt assessment of the coronavirus outbreak in Saudi Arabia, acknowledging for the first time that there are concerns the virus may be spreading from person to person, at least in a limited way. more »
Body found after fishing boat capsizes off New Brunswick: A man's body has been found after a lobster fishing boat capsized off the eastern coast of New Brunswick. more »

Must Watch

Latest Technology & Science News Headlines

High Arctic research station saved by new funding

High Arctic research station saved by new funding: Canada's northernmost research lab won't have to shut down after all and will be able to resume year-round operations, with the help of a new grant from the federal government. more »

2 earthquakes felt in Ontario and Quebec: Two earthquakes near the Ontario-Quebec border could be felt across both provinces this morning. more »
Chris Hadfield's translator: Q&A with Canadian astronaut Jeremy Hansen: While Chris Hadfield was returning from the International Space Station on Monday night, another Canadian astronaut was offering his own unique play-by-play of the action as the Soyuz capsule plunged to Earth. more »
Why some Canadians want to die on Mars: More than 80,000 people have applied for a Dutch non-profit organization's proposed one-way trip to Mars. Anna Maria Tremonti, host of The Current, spoke to four Canadians — two Mars one applicants, a member of the Mars One team, and astronaut Julie Payette — about whether it's a good idea. more »
Is warp speed possible?: Star Trek Into Darkness hit the big screen this week, taking moviegoers back to a science fiction universe where starships are capable of warp speed, crossing light years of interstellar space in minutes. But is that scientifically possible? And if so, how? more »

More Headlines »

Bob McDonald's Blog

Chris Hadfield: The gravity of gravity May. 17, 2013 9:58 AM After five months of being Superman and a media superstar, Canadian astronaut Chris Hadfield is now beginning the challenging task of adapting his mortal body and brain to life back on Earth.

Quirks & Quarks

May 18: Apps for Apes May. 17, 2013 4:26 PM Scientists at more than 2 dozen zoos around the world, including the Toronto Zoo, have been using computer tablets to stimulate our bright orange primate cousins, the orangutans. And the orangutans have been loving it.