While Last.fm informed users in 2012, passwords were easily cracked. The contents of a March 2012 breach of the music tracking website Last.fm have surfaced on the Internet, joining a collection of other recently leaked “mega-breaches” from Tumblr, LinkedIn, and MySpace. The Last.fm breach differs from the Tumblr breach, however, in that Last.fm knew about the breach when it happened and informed users in June of 2012. But more than 43 million user accounts were exposed, including weakly encrypted passwords—96 percent of which were cracked within two hours by researchers associated with the data breach detection site LeakedSource.
Last.fm is a music-centered social media platform—it tracks the music its members play, aggregating the information to provide a worldwide “trending” board for music, letting users learn about new music and share playlists, among other things. The 2012 database breach contained usernames, passwords, the date each member joined the service, and internal data associated with the account. The passwords were encrypted with an unsalted MD5 hash.
“This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords, a sizable increase from prior mega breaches,” a member of LeakedSource wrote in a post about the data. Ars confirmed the LeakedSource data using our own Last.fm account information.
The contents of the database are somewhat representative of where passwords were in 2012 (and possibly still are on many services). Of the 41 million passwords that were successfully extracted, 255,000 of them were “123456.” The next most popular password, used by 92,000 users, was “password.”
LeakedSource said that it has a number of additional “megabreaches” that will be revealed in the next month or so, all harvested from dumps to the Internet. “We have so many databases waiting to be added that if we were to add one per day it would still take multiple years to finish them all,” a spokesperson for LeakedSource wrote.