Passwords Stolen From Last.FM, eHarmony And LinkedIn [Updates]

Ads by Google

The discovery of password security breaches at three popular sites has yet again reminded the web that using the same password for every site isn’t a good idea. Passwords have been stolen from millions of users of Last.FM, eHarmony and LinkedIn.

Stolen LinkedIn and eHarmony password hashes were recently uncovered when a hacker asked for help cracking stolen passwords on a public web forum. The passwords were encrypted but many of them were “unsalted” making them easier to crack. Some passwords were already cracked by the original poster and within several hours millions more had been split wide open by others.

The number of leaked passwords from these two sites is around 8 million and almost all have been cracked at this time of this writing. The list does not include account names, but security experts commenting on the breach say it’s reasonable to assume that the original hacker also has access to this information. Even if the hacker does not, the breach would allow anyone to discover the most commonly used passwords for these sites. Those passwords could then be tried against accounts at random.

More bad news rolled in shortly after when Last.fm announced that it was investigating a user password leak. The decision to investigate appears to be related to the leak of eHarmony and LinkedIn passwords. A post on the official Last.fm blog states “This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately”.

Ads by Google

That’s good advice. If you use these sites or have used them in the past you should immediately change your password. It’s also a good idea to change your password on any other site where you have used the same password.

Source: Ars Technica

14 Comments - Write a Comment

Reply

Justin Boyle

Is there anything to suggest a relation between these leaks?

Matt Smith

The passwords that were posted were found to contain phrases suggesting they were related to both eHarmony and LinkedIn (but mostly LinkedIn).

As for Last.fm, the company has simply stated what was quoted in the news posts. I don’t think anyone had found what they thought to be Last.fm passwords in the hashes posted, but the phrasing of the Last.fm blog post seems to suggest the company thinks there is a link.

Reply

Nick Bruce

What’s weird about these attacks is that they happen in bursts. Like, there’s been 3 sites with concerns now, but for the past few months, you haven’t heard anything about these kinds of attacks.

Cliff Mccullar

Well that really comes down to a few things nick, one of them being that companies tend to try to keep stuff like this extremely quite. For instance Apple has had 3 MAJOR break ins, that it did not inform its customers about, and flat out denied happened, yet you can find 3 separate blocks of massive amounts of Itunes users complaining about fraud. (all with the same issue/happening in a small amount of time(days). Secondly the amount of sites broken into daily is a staggeringly large number, its so common that even when the sites DO report it correctly or inform their users that it has happened that it amounts to a drop in the bucket. Oh they got 10000 cc numbers? its not news worthy, your not going to hear about it unless you go searching for it. Just like every car accident in the country isnt headline news on CNN, their is just too many of them. So you will tend to only hear about the REALLY big break ins that the company’s report. But i can also think of a number of major breaches that happened “solo”. such as hotmail or yahoo, microsoft etc. its just not as impressive to report that yahoo got broken into and hey so did these 30 websites you have never heard of as well. yahoo is the headline event, you dont need 30 sites who get minimal hits per day as is.

the final thing on this in my opinion though is the worst: No one seems to get what a huge problem this is. Companies by and large just dont put resources into securing their systems, let alone training all their employees in security awareness. The “press” is so used to these attacks now that it doesnt see the forest for all the tree’s, and what kind of a threat that is too everyone. Because the press isnt informing the public, the public(such as yourself) is unaware of the major issue that it is so that you can start protecting yourself. the end result? over 1b in damages a year and climbing.

Mihovil Pletikos

yeah i agree i wonder how many times this happened to other sites, but was covered up (hey apple!!!! ok not just them….)

Reply

Raks

How do they actually steal passwords from these secure sites ?

Tina

It’s called hacking. Truth is, every security system has a hole weak spot somewhere. If we could explain in detail how to identify and exploit the security hole, we could be hackers, too. Fortunately, it’s not that easy!

Mario

Truth is, many “big websites” have insecure systems built by noobs.

Reply

Scutterman

Thanks for the informative article, I don’t follow the Last.FM blog or twitter so I wouldn’t have known about this otherwise.

Reply

Himanshu Singla

This is a real worry because websites like Linkedin got hacked even..so nothing is secure on web…i thinkk….

Reply

Jon Smith

Wasnt surprised that password1 was compromised according to the site that told you what was compromised

Reply

Wiry Andi

in my opinion, a good password to use is a combination of number and character.
and its the best if the character is capsed as well. though its hard to remember.
anyway what does “unsalted” mean?

Reply

Theo Reisinger

This seems to be a common theme lately. I feel that means more and more on why you should practice internet/password security

Your comment