Last.fm has had a possible leak of passwords, change your password now! - Polidicks

Sources: [URL]http://www.last.fm/passwordsecurity[/URL] [URL]http://thenextweb.com/insider/2012/06/07/change-your-last-fm-password-now-there-may-have-been-another-security-breach/[/URL] [url]http://www.theverge.com/2012/6/7/3070639/last-fm-password-leak[/url] [quote] [B]Last.fm Password Security Update[/B] 7th June 2012 We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately. [URL="http://www.last.fm/settings/password"]Change your password[/URL] We strongly recommend that your new Last.fm password is different to the password you use on other services. For more advice on choosing a solid password we recommend: [URL]http://www.google.co.uk/goodtoknow/online-safety/passwords/[/URL] We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our [URL="http://twitter.com/lastfm"]Twitter account (@lastfm)[/URL] as we get to the bottom of this. [B]The Last.fm Team[/B][/quote] [quote] 24-hours after LinkedIn [URL="http://thenextweb.com/insider/2012/06/06/linkedin-confirms-some-passwords-stolen-were-from-its-database/"]confirmed a massive password leak[/URL], online music streaming service Last.fm has [URL="http://www.last.fm/passwordsecurity"]issued a statement[/URL] saying that it’s currently investigating whether it too has leaked some of its users’ passwords. As such, the company is recommending that all users log-in to their account and change their passwords through their settings page. “This follows recent password leaks on other sites, as well as information posted online,” says the company’s statement. “As a precautionary measure, we’re asking all our users to change their passwords immediately.” Naturally, Last.fm is recommending that your new password is unique and is nothing obvious. Whilst Last.fm hasn’t confirmed the exact nature of the leak yet, or indeed whether there has definitely been a leak, it seems that this is a precautionary measure at the very least and I guess you have to give credit to Last.fm for making this announcement of its own accord. Yesterday, LinkedIn confirmed that user passwords to its site were compromised, giving the official nod to the [URL="http://thenextweb.com/socialmedia/2012/06/06/bad-day-for-linkedin-6-5-million-hashed-passwords-reportedly-leaked-change-yours-now/"]story we ran earlier in the day[/URL] that as many as 6.5m passwords could’ve have been accessed. We’ve reached out to Last.fm and will be sure to update you when we find out more on this.[/quote]

Thanks for the info mate. [editline]7th June 2012[/editline] I don't think the notice bar is good enough.

Eh, i don't really care if mine is hijacked, god forbid i need to make another account to listen to music to.

[QUOTE=mysteryman;36235064]Eh, i don't really care if mine is hijacked, god forbid i need to make another account to listen to music to.[/QUOTE] people actually use last.fm to listen to music?

[QUOTE=Sanius;36235091]people actually use last.fm to listen to music?[/QUOTE] I do on my android and sometimes my xbox. Also, it kinda helps me find new bands.

Well apparently there's 40million+ Last FM users. So this may be a big one.

Well that's great. Paranoia enabled.

god damn it

Fucking hell done

I'm going to wait until there is some way to check if my old-ass account is even affected by this leak, before I start trying to think of all the sites and services that might share that same old password I used on various accounts 4 or 5 years ago. What makes this even more annoying is that I never really used that site anyway.

Fuck I don't remember all the sites with the same password. Oh well, they can't be that important if they have the same password / I can't remember them.

This is the password I use on all the sites that aren't important so I don't really care.

I don't give a shit it's free anyway

[QUOTE=Jah Mason;36235994]I don't give a shit it's free anyway[/QUOTE] not if you use the subscription

I don't even remember my password v:v:v

I should be changing my passwords anyways.

Well I don't really use the same password anywhere, so this leak isn't that horrifying, just a minor annoyance.

.

Lol who gives a fuck it's lastfm not my PayPal account O SHITT HAKERS ARE GONNA SCROBLE LADY GAGA

time to change my password from 1234 to 12345

oh no

if my account gets comprimised all my beautiful snoop dogg plays will be gone :'-(

[QUOTE=Lemonator;36238369]Lol who gives a fuck it's lastfm not my PayPal account O SHITT HAKERS ARE GONNA SCROBLE LADY GAGA[/QUOTE] people could see if you have accounts elsewhere and hack those too (if you have the same password) didn't something like that happen here? i am a dumb nigger or w/e

this apparently happened in 2010/2011, and it's just now getting out to the public. [url]https://twitter.com/CrackMeIfYouCan/status/210776061410148354[/url] [quote]Hey All, this is @CrackMeIfYouCan (I run the DEFCON password cracking contest) First off, "NO" I will not share the list. I don't own it. And its not my data. That is a risk I do not wish to take. If someone else shares it, I will pass on the link. As I said on twitter - the list has been "out there" for a long time. I talked about it privately at 2011 DEFCON. It was originally posted by "bad guys" on password cracking websites last year. I grabbed it, but it was promptly deleted. Its 17.3 million UNIQUE MD5s. So, who knows HOW many people used 'lastfm' as their passwords. Currently I have it at 95% cracked. Which is about average for a raw-md5 list.[/quote] - [url]http://www.reddit.com/r/netsec/comments/upyu4/lastfm_password_security_update_we_are_currently/c4xj1dw[/url] [quote] Russ Garrett (Systems Architect at Last.fm in the past) on "unsalted MD5" issue: @jgrahamc the last.fm API mobile auth scheme ([url]http://www.last.fm/api/mobileauth[/url]) requires that the password is stored as an unsalted MD5 on the server. @jgrahamc The API auth mechanisms are old - they predate oAuth/xAuth by a sizeable margin - but it was ultimately a crap bit of design. @jgrahamc ultimately the unsalted MD5 auth was doing. In my defence: I was 18. It was 2003. The PHP community had no idea of bcrypt then. @jgrahamc Absolutely. It's something I very much regret not doing before I left (~3 years ago). [it's an answer to "@russss Understood. But in the intervening 9 years it would be possible for last.fm to do a 'when someone logs in' algorithm upgrade."] @jgrahamc although, worth noting that it's impossible for last.fm to fully get rid of MD5 hashes until that mobile auth method is removed.[/quote] - [url]http://www.reddit.com/r/technology/comments/uq072/lastfm_hacked_change_your_password/c4xklki[/url] based on this information it looks like you're most likely to be affected if you used the lastfm mobile app. Unless they store an unsalted MD5 regardless of your usage of the mobile app.

[QUOTE=Hamsterjuice;36239879]people could see if you have accounts elsewhere and hack those too (if you have the same password) didn't something like that happen here? i am a dumb nigger or w/e[/QUOTE] The dumb nigger was due to a script, but yes I do think we had a case of that here.