Passwords Stolen From Last.FM, eHarmony And LinkedIn [Updates]

passwordthumb   Passwords Stolen From Last.FM, eHarmony And LinkedIn [Updates]The discovery of password security breaches at three popular sites has yet again reminded the web that using the same password for every site isn’t a good idea. Passwords have been stolen from millions of users of Last.FM, eHarmony and LinkedIn.

Stolen LinkedIn and eHarmony password hashes were recently uncovered when a hacker asked for help cracking stolen passwords on a public web forum. The passwords were encrypted but many of them were “unsalted” making them easier to crack. Some passwords were already cracked by the original poster and within several hours millions more had been split wide open by others.

passwordhack   Passwords Stolen From Last.FM, eHarmony And LinkedIn [Updates]

The number of leaked passwords from these two sites is around 8 million and almost all have been cracked at this time of this writing. The list does not include account names, but security experts commenting on the breach say it’s reasonable to assume that the original hacker also has access to this information. Even if the hacker does not, the breach would allow anyone to discover the most commonly used passwords for these sites. Those passwords could then be tried against accounts at random.

More bad news rolled in shortly after when Last.fm announced that it was investigating a user password leak. The decision to investigate appears to be related to the leak of eHarmony and LinkedIn passwords. A post on the official Last.fm blog states “This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately”.

That’s good advice. If you use these sites or have used them in the past you should immediately change your password. It’s also a good idea to change your password on any other site where you have used the same password.

Source: Ars Technica

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

14 Comments -

0 votes

Justin Boyle

Is there anything to suggest a relation between these leaks?

0 votes

Matt Smith

The passwords that were posted were found to contain phrases suggesting they were related to both eHarmony and LinkedIn (but mostly LinkedIn).

As for Last.fm, the company has simply stated what was quoted in the news posts. I don’t think anyone had found what they thought to be Last.fm passwords in the hashes posted, but the phrasing of the Last.fm blog post seems to suggest the company thinks there is a link.

0 votes

Nick Bruce

What’s weird about these attacks is that they happen in bursts. Like, there’s been 3 sites with concerns now, but for the past few months, you haven’t heard anything about these kinds of attacks.

0 votes

Cliff Mccullar

Well that really comes down to a few things nick, one of them being that companies tend to try to keep stuff like this extremely quite. For instance Apple has had 3 MAJOR break ins, that it did not inform its customers about, and flat out denied happened, yet you can find 3 separate blocks of massive amounts of Itunes users complaining about fraud. (all with the same issue/happening in a small amount of time(days). Secondly the amount of sites broken into daily is a staggeringly large number, its so common that even when the sites DO report it correctly or inform their users that it has happened that it amounts to a drop in the bucket. Oh they got 10000 cc numbers? its not news worthy, your not going to hear about it unless you go searching for it. Just like every car accident in the country isnt headline news on CNN, their is just too many of them. So you will tend to only hear about the REALLY big break ins that the company’s report. But i can also think of a number of major breaches that happened “solo”. such as hotmail or yahoo, microsoft etc. its just not as impressive to report that yahoo got broken into and hey so did these 30 websites you have never heard of as well. yahoo is the headline event, you dont need 30 sites who get minimal hits per day as is.

the final thing on this in my opinion though is the worst: No one seems to get what a huge problem this is. Companies by and large just dont put resources into securing their systems, let alone training all their employees in security awareness. The “press” is so used to these attacks now that it doesnt see the forest for all the tree’s, and what kind of a threat that is too everyone. Because the press isnt informing the public, the public(such as yourself) is unaware of the major issue that it is so that you can start protecting yourself. the end result? over 1b in damages a year and climbing.

0 votes

Mihovil Pletikos

yeah i agree i wonder how many times this happened to other sites, but was covered up (hey apple!!!! ok not just them….)

0 votes

Raks

How do they actually steal passwords from these secure sites ?

0 votes

Tina

It’s called hacking. Truth is, every security system has a hole weak spot somewhere. If we could explain in detail how to identify and exploit the security hole, we could be hackers, too. Fortunately, it’s not that easy!

0 votes

Mario

Truth is, many “big websites” have insecure systems built by noobs.

0 votes

Scutterman

Thanks for the informative article, I don’t follow the Last.FM blog or twitter so I wouldn’t have known about this otherwise.

0 votes

Himanshu Singla

This is a real worry because websites like Linkedin got hacked even..so nothing is secure on web…i thinkk….

0 votes

Jon Smith

Wasnt surprised that password1 was compromised according to the site that told you what was compromised

0 votes

Wiry Andi

in my opinion, a good password to use is a combination of number and character.
and its the best if the character is capsed as well. though its hard to remember.
anyway what does “unsalted” mean?

0 votes
0 votes

Theo Reisinger

This seems to be a common theme lately. I feel that means more and more on why you should practice internet/password security