The discovery of password security breaches at three popular sites has yet again reminded the web that using the same password for every site isn’t a good idea. Passwords have been stolen from millions of users of Last.FM, eHarmony and LinkedIn.
Stolen LinkedIn and eHarmony password hashes were recently uncovered when a hacker asked for help cracking stolen passwords on a public web forum. The passwords were encrypted but many of them were “unsalted” making them easier to crack. Some passwords were already cracked by the original poster and within several hours millions more had been split wide open by others.
The number of leaked passwords from these two sites is around 8 million and almost all have been cracked at this time of this writing. The list does not include account names, but security experts commenting on the breach say it’s reasonable to assume that the original hacker also has access to this information. Even if the hacker does not, the breach would allow anyone to discover the most commonly used passwords for these sites. Those passwords could then be tried against accounts at random.
More bad news rolled in shortly after when Last.fm announced that it was investigating a user password leak. The decision to investigate appears to be related to the leak of eHarmony and LinkedIn passwords. A post on the official Last.fm blog states “This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately”.
That’s good advice. If you use these sites or have used them in the past you should immediately change your password. It’s also a good idea to change your password on any other site where you have used the same password.
Source: Ars Technica