More than 43 million accounts were compromised in a hack at Last.FM in 2012.
The news comes shortly after cloud storage service, Dropbox, confirmed that 68,680,741 user credentials were exposed in a data breach in the same year.
At the time of the breach, Last.FM urged its users to change their passwords immediately, however no details were given about what data, or how many account holders, were had been affected.
Breach notification site, LeakedSource, said the breach exposed the usernames, email addresses, passwords, joining dates and other internal data of 43,570,999 users.
LeakedSource claimed that the Last.FM passwords were stored using unsalted MD5 hashing, and only took two hours to crack.Many security experts do not consider passwords to be adequately protected unless they are stored in a salted, hashed and stretched form.
The most common passwords used by Last.FM subscribers were “123456”, “password”, “lastfm”, “123456789” and “qwerty”.
CTO data protection at Gemalto, Jason Hart, said breaches such as those at Last.FM and Dropbox are a reminder that passwords alone are no longer enough to stay secure.
He said: “Unless organisations use two-factor authentication they will remain vulnerable to password-based attacks.“A ‘secure breach’ is where the data stolen cannot be used as the appropriate data protection measures were in place.”
View Internet News Archive