An update on Last.fm Password Security

Friday, 8 June 2012
by Matthew Hawn
filed under About Us and Announcements
Comments: 63

Hello from Last.fm HQ,

Earlier this week, Last.fm received an email that let us know a text file containing cryptographic strings for passwords (known as “hashes”) that might be connected to Last.fm had been posted to a password cracking forum. We immediately checked the file against our user database, and while this review continues, we felt it was important enough to act on.

We immediately implemented a number of key security changes around user data and we chose to be cautious and alert Last.fm users. We recommend that users change their password on Last.fm and on any other sites that use a similar password. All the updated passwords since yesterday afternoon have been secured with a more rigorous method for user data storage.

To reach as many users as quickly as possible, we are sending these alerts via social media, direct email and on the Last.fm site itself.

We take the security of our users very seriously, and going forward we want you to know we’re redoubling our efforts to protect our users’ data.

Thanks for your support,

The Last.fm Team

Comments

  1. Daryl Tucker
    8 June, 19:28

    Do you plan on releasing the passwords gathered? Was it the entire database?

    Do you use salts in a separate database on a separate machine?

    Most importantly, thank you for your disclosure of the incident, as even though this shows a fault, it shows overwhelming integrity and respect for your users.

    Daryl Tucker – 8 June, 19:28
  2. suicidschraube
    8 June, 19:28

    thanks!

    suicidschraube – 8 June, 19:28
  3. Alex
    8 June, 19:34

    Any word on if only the hashes were leaked or are also usernames/e-mail addresses involved?

    Alex – 8 June, 19:34
  4. Scrobble-junkie
    8 June, 20:05

    Sounds sound. But there is still a lot of static that keeps keeps buzzing, why, why, when, how…?

    Why didn’t yall tell us our new passwords would be (more) secure. They weren’t before and we could not assume thet would be in the near future.

    Why wasn’t it secure in the first place? md5 has been depreciated since 2009!

    When did the leak occur, i’ve been reading on twitter that it dates back to 2010/2011?

    How many users have been affected? Would it be possible to warn users for weak passwords (an entropy check could do the trick)?

    Scrobble-junkie – 8 June, 20:05
  5. A Last.fm User
    8 June, 20:21

    These passwords have been circulating since at least 2011.

    http://www.reddit.com/r/netsec/comments/upyu4/lastfm_password_security_update_we_are_currently/c4xj1dw

    Why have you only found out about this now?
    Google Alerts exists for a reason, tell your SysAdmin(s) to use it.

    — A SysAdmin

    A Last.fm User – 8 June, 20:21
  6. vlad-impatient
    8 June, 20:27

    If I don’t see a direct e-mail from you, does it mean my password is probably not in the leaked data set?

    And can you (re)confirm the leaked data set was of hashes and not of unencrypted data?

    Thanks!

    vlad-impatient – 8 June, 20:27
  7. Oliver
    8 June, 20:32

    One really simple question I’d be grateful if you could please answer, as soon as possible: What does this actually mean for us?

    a) That they just have our passwords?
    b) That they have our usernames/e-mails/passwords/other info?
    c) That they don’t have a) or b) yet but they could if they cracked the files they got hold of?

    I’m pretty tech-savvy but I’m struggling to understand what “a text file containing cryptographic strings for passwords (known as “hashes”) that might be connected to Last.fm” actually means in real terms.

    Oliver – 8 June, 20:32
  8. A Last.fm User
    8 June, 20:51

    I just got the email from you.
    I’m sorry, but you’re not doing a very good job at handling this.

    http://imgur.com/d3Pre

    Why set the source of the Google link to ct.last.fm?

    Also, this entire email seems to originate from CNET’s servers, NOT last.fm

    A Last.fm User – 8 June, 20:51
  9. Ivana
    8 June, 21:01

    I’ve deactivated my Facebook account 3 days ago, whose link I’ve left on my last.fm profile, and a friend of mine told me today that my fb profile is viewable, and it really was. Passwords were similar. May it be related?

    Ivana – 8 June, 21:01
  10. Nathan
    8 June, 21:32

    Your post is awfully light on crucial technical information. I know you are still investigating, but you need to disclose more about your internal password storage policies so we can accurately gauge the risk we, your users, have been exposed to.

    1. Are the leaked password hashes salted? This is an important detail, because if the hashes weren’t salted, attackers could discover users’ passwords using a dictionary attack. If they weren’t salted, it is likely users who used simple passwords have already had their accounts compromised.

    2. What type of hashing algorithm did you hash the passwords with? The hashing algorithm determines how fast an attacker can wage a dictionary attack against the list of hashes.

    3. How large is the list of hashes that you received?

    Please don’t leave us waiting for these answers. We need to be able to make informed decisions and that is something we cannot do without all available information.

    Thank you.

    Nathan – 8 June, 21:32
  11. Renegade-Industrialist
    8 June, 21:33

    A couple of questions, when you say the passwords were hashed.

    1) How was the hash created? With SHA-1?

    2) Were the passwords also salted, if not – then why not?

    Renegade-Industrialist – 8 June, 21:33
  12. Paul G. Chapman
    8 June, 21:38

    What? So I take care to generate a very good password containing upper case, lower case, numbers and characters then some bum lets the file with that leak. You always get some geek hunting for cracks, WISE UP.

    It takes hours checking all the sites I use to check and change passwords. Thank goodness Last.fm was only an L2 password here >:-)

    Paul G. Chapman – 8 June, 21:38
  13. Paul Johnson
    8 June, 21:47

    That’s odd, your G+ profile hasn’t been updated since Christmas Eve, Last.fm…

    Paul Johnson – 8 June, 21:47
  14. Paul Johnson
    8 June, 21:47

    Also, unsalted hashes? WTF is your issue, last?

    Paul Johnson – 8 June, 21:47
  15. E. Anonymous
    8 June, 22:14

    would be nice to get some “real” information. Also why do people always act when it is already too late. You said you improved your system – but why now? Why not at the time you were building it. It is so hard to make one thing right? Comn!

    E. Anonymous – 8 June, 22:14
  16. Alden
    8 June, 22:20

    How about you let us change our usernames as well as our passwords??

    Alden – 8 June, 22:20
  17. Sosa
    8 June, 22:27

    what in the world are hashes and salts?! I am terribly confused.

    Sosa – 8 June, 22:27
  18. Loki-Afro
    8 June, 23:06

    Same questions as before, salted passwords and which algorithm? Also how many data did you lost?

    Loki-Afro – 8 June, 23:06
  19. Ritch
    8 June, 23:17

    If you’ve been informing users by direct e-mail, then I have yet to receive one. It’s alright though, because a friend of a friend told me after they read about it on a news site; good to know my subscription goes towards such proactivity…

    Ritch – 8 June, 23:17
  20. greysoul
    9 June, 00:23

    Unfortunatley, like other sites which have experienced this issue, last.fm does not seem to be taking it seriously enough nor taking sufficient measure to protect and inform their user base.

    greysoul – 9 June, 00:23
  21. Tom
    9 June, 00:24

    I did not receive an email about this either, just saw the anouncement on the homepage.

    As many others have pointed out, you need to release technical details asap. You messed up by (apparently) using outdated, known-to-be-insecure authentication; the least you can do now is full disclosure of hashing, salting, data fields (email?), etc. of the leaked data so that we can accurately assess the implications.

    Once again, this is a major problem, you are at fault, and so far your reaction has been inadequate. React.

    Tom – 9 June, 00:24
  22. Scott
    9 June, 01:10

    Read about this on the BBC news website, no email from you last.fm thanks for the heads up!!!

    Im glad I stopped using your website when subscriptions came in.

    You have not provided enough info on the breach, you can continue to investigate and be forth coming with what you have already and as request by many users we want answers to the technical methods you used to save out passwords.

    Scott – 9 June, 01:10
  23. George
    9 June, 01:17

    So, Unsalted Md5 right? ….

    George – 9 June, 01:17
  24. Drulak
    9 June, 02:53

    Dear gullible people. IF you receive an e-mail from Last.fm concerning this, DO NOT click on links inside that e-mail.

    Right now is the perfect chance for “the hackers” to send compromised people fake e-mail from Last.fm, containing innocent looking links that lead you to malware sites, and an even bigger mess than what your weak password has gotten you into.

    You should MANUALLY type www.last.fm into your address bar and change your password there.

    Cheers.

    Drulak – 9 June, 02:53
  25. Parasram jat
    9 June, 05:18

    Ok, Thank you for the update

    Parasram jat – 9 June, 05:18
  26. babelmodem
    9 June, 06:26

    > Why wasn’t it secure in the first place? md5 has been depreciated since 2009!

    > Also, unsalted hashes? WTF is your issue, last?

    The audioscrobbler protocol requires that the client and server know either the raw password, or a plain unsalted MD5 hash. Therefore, the hashes could not have been stored in a more secure form.

    babelmodem – 9 June, 06:26
  27. datregon
    9 June, 06:34

    I almost got my gmail account hacked today. I used to have the same password on my last.fm account. I seriously doubt that it is coincidental. Gmail warned me of a suspicious entrance to my account from an I.P adress that I tracked down to Argentina. I hope that they didn’t have enough time to steal any vital data, nonetheless I’m seriously enraged over the fact that it was compromised. I love the service that Last.fm provides and I am an active user, but if there aren’t any security improvements that make me feel safe again in the site I’ll certainly close it.

    datregon – 9 June, 06:34
  28. MarkyMark81
    9 June, 06:56

    Funny thing is that I found out about the stolen passwords from my local news. No email from you guys regarding this. Nice job.

    MarkyMark81 – 9 June, 06:56
  29. Michael
    9 June, 07:50

    Lots of questions and very few answers.

    >The audioscrobbler protocol requires that the client and server know either the raw password, or a plain unsalted MD5 hash. Therefore, the hashes could not have been stored in a more secure form.

    This isn’t really a good excuse. I understand that the implications are greater than they would be if you just needed to change the hashes, but for circumstances exactly like this, things like the audioscrobbler protocol need to be updated to comply with up-to-date standards.
    Otherwise, when the s**t hits the fan, you’re caught with your pants down.

    Michael – 9 June, 07:50
  30. Loki-Afro
    9 June, 08:36

    http://www.heise.de/newsticker/meldung/Passwort-Lecks-groesser-als-angenommen-1613946.html

    saiys: 17 Million (last.fm + Linkedin + eharmony) unsalted MD5 hashes, leaked Summer 2011

    the public lists do not contanin emaila dresses or user names, just the hashes.

    A former design architekt of last.fm said: the weak password security is because of the mobilenAPI(http://www.lastfm.de/api/mobileauth)

    Loki-Afro – 9 June, 08:36
  31. Mike
    9 June, 13:23

    All very interesting, BUT HOW DO I UNSUBSCRIBE??? You have forgotten a basic principle… the KISS principle KEEP IT SIMPLE STUPID

    Mike – 9 June, 13:23
  32. Ben
    9 June, 14:13

    I began receiving spam to the e-mail address I only use for last.fm (using the catchall@domain method) on the 16th May. I have only been a last.fm subscriber since November 2011. That means there’s a separate list to the Summer 2011 one.

    Ben

    Ben – 9 June, 14:13
  33. Laogui
    9 June, 15:12

    What the hell is Last.fm, and how is my email associated in anyway with it? Is the spam/scam just shotgun shooting Lao Gui

    Laogui – 9 June, 15:12
  34. J
    9 June, 17:17

    I was email was hacked from Poland, possibly Lublin. I have the IP and worked out where they are. I was given the IP by my mail server the same as the other guy on here had posted. This isn’t good.

    J – 9 June, 17:17
  35. Someone
    9 June, 22:43

    If you guys knew about ‘more rigorous’ methods to store data, why didn’t you implement these in the first place?

    Someone – 9 June, 22:43
  36. Jimmie
    10 June, 00:09

    Here’s some info that I found useful after finding out how last.fm handles their users data:

    “Should you wish to permanently delete your account, you can do this on the “Data” tab in your settings.

    From here, make sure you enter your password correctly, and confirm that you want to delete your account.”

    Jimmie – 10 June, 00:09
  37. Mary
    10 June, 07:48

    Drulak is the only one making sense here.

    Listen to Drulak, people.

    Mary – 10 June, 07:48
  38. Harry
    10 June, 11:13

    I heard about this breach on the news. No heads up in my inbox from last.fm. Well managed guys!

    Harry – 10 June, 11:13
  39. Paul G
    10 June, 13:16

    What a shame this happened at the weekend. Maybe when the staff get back on Monday then they’ll start to address this issue. Obviously, leaking 40 million user details isn’t important enough to warrant people working at the weekend.

    Absolute joke. Deleted my account, these clowns can’t be trusted.

    Paul G – 10 June, 13:16
  40. fmdaisy
    10 June, 15:20

    I don’t know, maybe less fooseball and more attention paid to securing the site …. just a thought?

    fmdaisy – 10 June, 15:20
  41. Steve
    11 June, 09:14

    http://codahale.com/how-to-safely-store-a-password/
    This guy makes a strong case that if there were a salt, it wouldn’t have mattered that much.
    Use bcrypt (or scrypt).

    @People who are asking for more information
    Assume the worst. Start using a password manager.

    Steve – 11 June, 09:14
  42. Richard Whitehouse
    11 June, 09:48

    If the weakness is due to the audioscrobbler protocol then redesign the protocol!

    Richard Whitehouse – 11 June, 09:48
  43. Tims
    11 June, 13:42

    @Richard_Whitehouse This has nothing to do with the scrobbling protocol.

    Tims – 11 June, 13:42
  44. Sam
    11 June, 15:10

    Wow I only just found out about this because I was browsing BBC news for something else.

    I received no email or anything about this and I find it more worrying that no information other than that passwords are leaked I am more anxious to know if email’s and usernames are leaked also.

    Sam – 11 June, 15:10
  45. Pissed
    11 June, 16:31

    I received an email on June 9th. I opened it, but closed it, re-started my computer and logged into last.fm from my browser, not from my email. Don’t know if anyone got this, if it’s official or f it’s phishing.
    All embedded links go to ct.last.fm/clicks, as well as their link to google. This is what made me close the email. However, I did have an issue signing into my email, which is utilized by last.fm, however the passwords are not the same. It said I had exhausted my login attempts and had been locked out.

    Not good. As a Privacy professional for a Fortune 100 Financial Services company, although I am in a different industry, it’s unfortunate that the laws onyl require them to do a little, depending on the information breached. If it’s a social security number or the such, they are required to notify you directly. I assume for passwords for an entertainment site does not fall under this requisite, although people may have other accounts breached now, which all last.fm has to say is it’s the users fault for utilizing the same password. Also, I am referencing US laws. I heard Europe is a little more lax.

    Looks like last.fm will be losing users and they do not care.

    ———————————————————

    Hi X,
    We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.
    Please log in to Last.fm and change your password on your settings page.
    Your username is: X
    Your email address is: X
    We will never email you a direct link to update your settings or ask for your password.
    We strongly recommend that your new Last.fm password is different to the password you use on other services. For more advice on choosing a solid password we recommend: http://www.google.co.uk/goodtoknow/online-safety/passwords/
    We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our Twitter account as we get to the bottom of this. A copy of this message is online at http://www.last.fm/passwordsecurity.
    Thanks,
    The Last.fm Team

    Last.fm Ltd, Karen House, 1-11 Baches Street, London, UK N1 6DL

    Pissed – 11 June, 16:31
  46. Pissed
    11 June, 16:57

    Don’t know how many people would do this after potentially have their password stolen, but this site has the hash strings that were breached for Last, eHarmony and Linkedin.

    https://lastpass.com/lastfm/

    Pissed – 11 June, 16:57
  47. Lee B.
    11 June, 18:39

    I’ve tried several times to follow your instructions and reset my password. I give up! I’m safe if whoever stole my password encounters as much difficulty even logging in as I have.

    Lee B. – 11 June, 18:39
  48. Ben Harris
    11 June, 18:58

    Like Ben above, I created my last.fm account since summer 2011 (Feb 2012 in my case), and I used a unique email address for it. This address received spam (advertising “Bet2day Casino”) on 14th May. I reported this to legal@last.fm the same day. This suggests that more than just password hashes escaped.

    Ben Harris – 11 June, 18:58
  49. HK
    12 June, 20:58

    No email here either, just the banner which I happened to see when I logged in the other day – I don’t normally look at that part of the page, so I’m glad I did.
    Normally you guys are more than happy to send emails about all sorts of things, but this one seems to have gone through to the keeper entirely.

    HK – 12 June, 20:58
  50. faraway99
    12 June, 21:42

    Have changed my password,
    now I am obviously no subscriber anymore, even though have payed for.
    Fix that !

    faraway99 – 12 June, 21:42
  51. boikot
    13 June, 10:57

    This does not look “very seriously” to me at all.

    boikot – 13 June, 10:57
  52. André
    13 June, 13:51

    I’d also like to hear why I get Spam on my e-mail adress I ONLY use for last.fm! It’s pretty obvious that NOT only passwords have been hacked. :-(

    André – 13 June, 13:51
  53. Noah
    13 June, 23:23

    It’s not “a leak” or a “situation” that we’re talking about. My faucet leaks, and the Situation is on MTV. Cut the euphemisms and own up to what happened — deal with it forthrightly and we’ll have more respect for Last.fm.

    Noah – 13 June, 23:23
  54. Guy Manningham
    14 June, 20:13

    It’s good to see you guys taking the necessary measures to avoid a security leak to the extent of LinkedIn’s recent gaffe.

    Guy Manningham – 14 June, 20:13
  55. Filip Dupanović
    14 June, 21:56

    I also agree with other users who voiced their concern that your holding back on crucial information about how the passwords were stored that you have readily available without the need to conduct any sort of investigation.

    Thanks for the heads-up Mathew, but you need to do the right thing and tell us how the hashes were constructed and what other data was associated with our passwords—I shouldn’t have to search online or read from other sources to find that out.

    Filip Dupanović – 14 June, 21:56
  56. Suckadick
    18 June, 01:16

    I can’t login to my account. Thank you very much Last.fm for being totally idiotic! I want my account back!

    Suckadick – 18 June, 01:16
  57. Kamiccolo_real
    18 June, 23:26

    oh, nice, those who stolen password aren’t sleeping. My old password was just changed by em. Thanks for password reset ability.

    Kamiccolo_real – 18 June, 23:26
  58. Paco H. H.
    20 June, 08:07

    Spanish users has just received the infiltration warning mail jajajaj and this post was 12 days ago … and there’s more, because I read that these keys have been around since 2011.
    Crazy hocuspocus to pick pockets! The hackers are doctoral, and those in charge of security are in the nursery.

    Esto es para mear y no echar gota. A los usuarios españoles nos acaba de llegar el mail de aviso de infiltración jajajaj y este post se puso hace 12 días…y hay más, porque he leído que estas claves llevan circulando desde 2011.
    Vaya plan!!! Los mangantes son de doctorado, y los que se encargan de la seguridad están en la guardería.

    Paco H. H. – 20 June, 08:07
  59. heise fanboy
    25 June, 13:04

    For those of you who know German, there is a nice comment on heise security: http://heise.de/-1612661

    heise fanboy – 25 June, 13:04
  60. heise fanboy
    25 June, 13:07

    Ah, there eists an english version of that article as well: http://h-online.com/-1612877

    heise fanboy – 25 June, 13:07
  61. alfa-kappa
    28 June, 15:52

    Thank you for advertising but my last.fm is not important and don’t contain important information. I can’t hear my personal radio station on my smartphone. I can only scrobble my playlist. If someone is logged as me for hearing my radio station (can’t make other), this is the best compliment for me. Seriously, I’m thinking to delete my account if the situation don’t change.
    Cheers

    alfa-kappa – 28 June, 15:52
  62. s
    29 June, 20:38

    If last.fm released their encryption information, wouldn’t they be making it easier for the hackers to get what they need? Do we really want this information posted on a public forum or sent to compromised email accounts?

    s – 29 June, 20:38
  63. Chris
    2 July, 00:24

    I’ll do it the easy way and write in German:
    Ich habe grosse Probleme, herauszufinden, ob die eMail von LastFM nicht selbst ein phishing ist. Welche Domain ist denn jetzt die “RICHTIGE”?

    www.last.fm – dahin fuehrte der Link zur Passworteingabe,

    aber

    www.lastfm.de/home – war die Adresse bei der Anmeldung.

    Es sieht so aus, als ob ihr beide benutzt, aber fuer den User ist das sehr verwirrend!

    Chris – 2 July, 00:24

Comments are closed for this entry.