Science latest site to report password leak

The music streaming website is investigating a possible leak of users' passwords that is likely related to similar security breaches at LinkedIn and eHarmony.

Part of same security breach as leaks at LinkedIn, eHarmony

A screen grab of the message posted on its Twitter page advising users that their passwords may have been compromised. The leak is part of a security breach that saw several million passwords uploaded to an online forum devoted to password cracking. (

The music streaming website is investigating a possible leak of users' passwords that is likely related to similar security breaches at LinkedIn and eHarmony.

In an advisory posted on its site Thursday, the company said it was looking into the leak and advised users to change their passwords.

It warned users that it would never email them a direct link to update their settings or ask for their password.

Earlier in the week, the popular networking site LinkedIn and the dating site eHarmony reported that some of their users' passwords had been leaked.

The passwords are believed to have been uploaded by a Russian hacker to an online forum dedicated to collectively cracking passwords on the site, which sells password recovery software.

They were uploaded without usernames attached and in an encrypted format that transforms password text into a code known as a hash.

Although this encryption makes the password somewhat more difficult to crack, software exists to extract the original passwords from their hashes, and hackers can also guess the hash equivalents of some less-secure passwords.

"A lot of users have very simple passwords like the word 'password' or 'password123'," said Vikram Thakur, a researcher with the computer security firm Symantec. "Even without knowing the hash which is in the database, it's very easy for them to compute the hashes of some very commonly used passwords and then just ... see which one it matches to."

8 million passwords leaked

The technology news site Ars Technica reported that as many as eight million passwords were uploaded to the Inside Pro forum in two separate lists by a user identified as dwdm, with close to 6.5 million of the passwords coming from the LinkedIn database.

It took a user on the forum less than 2½ hours to crack 1.2 million of the hashed passwords, Ars Technica reported.

Without the associated log-in names, the decrypted passwords have limited use, but that doesn't necessarily mean users are safe, says Thakur.

"We can never be certain that the people who put this database onto the public website have disclosed everything that they acquired," he said. "They may have just kept the usernames to themselves, and they're just waiting for the community to come out and tell them what these hashes correspond to. They know which user that password maps to, and they can take control of it."

Hacking into password databases like the ones that were posted to the forum is not a trivial matter, said Thakur.

"Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers who were able to circumvent all the security measure that had been put in place," he said.

Password databases are generally stored on an internal network, but for sites like LinkedIn, eHarmony and they would also have to be accessible from an external portal since users have to log in to those sites.


Kazi Stastna

Senior Producer

Kazi Stastna is a senior producer with She has worked as a features writer and copy editor with CBC's digital news team for 10 years. Prior to that, she was a reporter and editor in Montreal, Germany and the Czech Republic. She's currently writing from Washington, D.C.