Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Stole Over 43 Million Last.fm Accounts In 2012 Breach (zdnet.com)

Posted by msmash on from the security-woes dept.

The aftermath of 2012's infamous hack is shaping up to be more serious than we had anticipated. An anonymous reader writes: Last.fm suffered a data breach back in 2012, but details of the attack were not disclosed. On Thursday, breach notification site LeakedSource, which obtained a copy of the database and posted details of the hack in a blog post, said more than 43.5 million accounts were stolen.

The database also contained hashed passwords, scrambled with the MD5 algorithm that nowadays is easy to crack. LeakedSource said that the algorithm is "so insecure" that it was able to decipher over 96 percent of passwords in just two hours.

25 comments

  1. More details by Anonymous Coward · · Score: 0

    The Softpedia article has more details: http://news.softpedia.com/news/data-of-43-million-users-stolen-during-2012-last-fm-data-breach-507830.shtml

    1. Re:More details by Anonymous Coward · · Score: 0

      Learn how to use href FFS.

    2. Re: More details by Anonymous Coward · · Score: 0

      Go fuck yourself.

    3. Re:More details by FatdogHaiku · · Score: 1

      FF lets me highlight the text and right click to open as a link...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    4. Re:More details by Anonymous Coward · · Score: 0

      So does Pale Moon, Chromium, Chrome, Opera, etc. I think pretty much every modern web browser does.

  2. why last.fm? by whoozwah · · Score: 1

    Is there any relevant reason to hack last.fm? do they just want to screw around with how many times people have scrobbled Rhianna?

    1. Re:why last.fm? by Cajun+Hell · · Score: 3, Informative

      The usual: password re-use. You use this list to try to break into somewhere else.

      --
      "Believe me!" -- Donald Trump
    2. Re:why last.fm? by known_coward_69 · · Score: 1

      people use the same password across sites. hack it and get an email and a password combo to add to your dictionary

  3. 2012... by __aaclcg7560 · · Score: 2

    Although the world didn't end in 2012, hackers were quite busy that year.

    1. Re:2012... by Anonymous Coward · · Score: 0

      Ha. Hackers are busy every year, it's just we don't find out about it until 4 years later.

  4. Mandatory Search Tool by Lieutenant_Dan · · Score: 1

    Someone has a MD5 search to see if your password shows up:
    https://lastpass.com/lastfm/

    When I try it, it throws an error ... anyways ...

    --
    Wearing pants should always be optional.
    1. Re:Mandatory Search Tool by TechyImmigrant · · Score: 2

      Someone has a MD5 search to see if your password shows up:
      https://lastpass.com/lastfm/

      When I try it, it throws an error ... anyways ...

      I should put one of those up. It's a great way to harvest passwords.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Mandatory Search Tool by q4Fry · · Score: 1

      Someone has a MD5 search to see if your password shows up:
      https://lastpass.com/lastfm/

      When I try it, it throws an error ... anyways ...

      Their javascript file tries to inject some PHP to get a random number.
      Since it's a javascript file, not PHP, the random injection is not executed and remains as a string.
      The string is then used as part of an AJAX request url: https://lastpass.com/lastfm/index.php?rand=%3C?php%20echo%20rand(23,238923892389)?%3E
      Finally, their security crap goes "OH NO! ATTEMPTED PHP INJECTION" and crashes.

      See https://lastpass.com/js/breach_crypto.js line 44. Then laugh heartily.

  5. What next? by Anonymous Coward · · Score: 0

    Github got hacked in 2012 too? That would epic!

    Lots of user accounts to steal there :-).

  6. Why is communication about security so bad? by marmot7 · · Score: 1

    It seems that inexcusably bad communication seems to accompany these breaches. It makes a bad problem FAR worse. Any sense of why communication about security problems (e.g., breaches) is lousy? There are some notable exceptions but usually the corporate/PR communication fail is as bad as a the security fail.

  7. alarm fatigue by k6mfw · · Score: 1

    It seems every fifth story on /. and other forums are sites that have been hacked (with 10s of millions of accounts, I think the hackers will be dead of old age by the time they go through each one). I don't even read the details anymore, boy who cried wolf syndrome, or "alarm fatigue" as noted in safety circles (get so many alarms people ignore them including fire alarm that responds to a real fire).

    --
    mfwright@batnet.com
  8. Wrong lessons by WaffleMonster · · Score: 1

    As long as people keep spewing nonsense about hash algorithms and salts and key stretching schemes being a solution when they are not nothing will change.

    If you want to keep your password databases out of the hands of those who find it trivial to hack into your hopelessly insecure infrastructure use dedicated authenticators whose one and only job is authentication. You get to keep your password databases wherever you want. The only thing you don't get to do is store encryption keys for those passwords in a general purpose system.

    1. Re:Wrong lessons by UnknownSoldier · · Score: 2

      Agreed !

      Site A: super secure secret hashing function.
      Site B: a different super secure secret hashing function.
      Site C: crappy hashing function

      Dumbass user: Re-uses same password on all three sites. BOOM, all three sites are now compromised. You're only as strong as your weakest link.

      The lessons should be:

      * Use an unique password for every site
      * Use a password manager

    2. Re:Wrong lessons by Anonymous Coward · · Score: 0

      Site D: crappy password manager
      Site E: unscrupulous (NSA friendly) password manager
      Site F: can't remember password (unique passwords suck)
      Site G: can't remember password
      Site H-Z: can't remember password

      This is not helpful

    3. Re: Wrong lessons by Anonymous Coward · · Score: 0

      supergenpass

    4. Re:Wrong lessons by LordWabbit2 · · Score: 1

      Site D: crappy password manager

      Exactly
      OneLogin hacked

      My wife has gone old school and keeps a physical notebook with her sites/passwords in it, which she locks in her top drawer.
      Can't exactly hack that, and it would require physical access to our study which is generally off limits to everyone (because it's a mess).
      Contemplating doing the same actually.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    5. Re:Wrong lessons by Anonymous Coward · · Score: 0

      Last.fm has an API though, and users of that API (i.e. everyone whose music player has a plug-in that 'scrobbles' to last.fm [1]) need to authenticate using md5(password).

      I guess that can be improved by a challenge-response scheme though, but they do need to store an unsalted md5 somewhere for it to work (to the best of my knowledge).

      That, or they need to update the authentication on a sithload of plug-ins written during the ten years before the hack.

      [1] the plug-in is the main part of last.fm.

    6. Re:Wrong lessons by CmdrTamale · · Score: 1

      It is OK to use the same password at different sites.
      Just use different usernames.

      And for sites that insist on email addresses instead,
      well that's what mailinator is for.
      --
      Cheap, Fast, Good -- you have selected "None of the Above"?

  9. The part I find most astonishing is... by tlambert · · Score: 1

    The part I find most astonishing is... Last.fm had over 43 million users. Ever.