Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Hackers Stole Over 43 Million Last.fm Accounts In 2012 Breach (zdnet.com) 25

The aftermath of 2012's infamous hack is shaping up to be more serious than we had anticipated. An anonymous reader writes: Last.fm suffered a data breach back in 2012, but details of the attack were not disclosed. On Thursday, breach notification site LeakedSource, which obtained a copy of the database and posted details of the hack in a blog post, said more than 43.5 million accounts were stolen.

The database also contained hashed passwords, scrambled with the MD5 algorithm that nowadays is easy to crack. LeakedSource said that the algorithm is "so insecure" that it was able to decipher over 96 percent of passwords in just two hours.

This discussion has been archived. No new comments can be posted.

Hackers Stole Over 43 Million Last.fm Accounts In 2012 Breach

Comments Filter:
  • Is there any relevant reason to hack last.fm? do they just want to screw around with how many times people have scrobbled Rhianna?
  • by __aaclcg7560 ( 824291 ) on Thursday September 01, 2016 @11:29AM (#52808563)
    Although the world didn't end in 2012, hackers were quite busy that year.
  • Someone has a MD5 search to see if your password shows up:
    https://lastpass.com/lastfm/ [lastpass.com]

    When I try it, it throws an error ... anyways ...

    • Someone has a MD5 search to see if your password shows up:
      https://lastpass.com/lastfm/ [lastpass.com]

      When I try it, it throws an error ... anyways ...

      I should put one of those up. It's a great way to harvest passwords.

    • by q4Fry ( 1322209 )

      Someone has a MD5 search to see if your password shows up:
      https://lastpass.com/lastfm/ [lastpass.com]

      When I try it, it throws an error ... anyways ...

      Their javascript file tries to inject some PHP to get a random number.
      Since it's a javascript file, not PHP, the random injection is not executed and remains as a string.
      The string is then used as part of an AJAX request url: https://lastpass.com/lastfm/index.php?rand=%3C?php%20echo%20rand(23,238923892389)?%3E
      Finally, their security crap goes "OH NO! ATTEMPTED PHP INJECTION" and crashes.

      See https://lastpass.com/js/breach_crypto.js [lastpass.com] line 44. Then laugh heartily.

  • It seems that inexcusably bad communication seems to accompany these breaches. It makes a bad problem FAR worse. Any sense of why communication about security problems (e.g., breaches) is lousy? There are some notable exceptions but usually the corporate/PR communication fail is as bad as a the security fail.
  • It seems every fifth story on /. and other forums are sites that have been hacked (with 10s of millions of accounts, I think the hackers will be dead of old age by the time they go through each one). I don't even read the details anymore, boy who cried wolf syndrome, or "alarm fatigue" as noted in safety circles (get so many alarms people ignore them including fire alarm that responds to a real fire).
  • As long as people keep spewing nonsense about hash algorithms and salts and key stretching schemes being a solution when they are not nothing will change.

    If you want to keep your password databases out of the hands of those who find it trivial to hack into your hopelessly insecure infrastructure use dedicated authenticators whose one and only job is authentication. You get to keep your password databases wherever you want. The only thing you don't get to do is store encryption keys for those passwords in

    • Agreed !

      Site A: super secure secret hashing function.
      Site B: a different super secure secret hashing function.
      Site C: crappy hashing function

      Dumbass user: Re-uses same password on all three sites. BOOM, all three sites are now compromised. You're only as strong as your weakest link.

      The lessons should be:

      * Use an unique password for every site
      * Use a password manager

      • It is OK to use the same password at different sites.
        Just use different usernames.

        And for sites that insist on email addresses instead,
        well that's what mailinator is for.
        --
        Cheap, Fast, Good -- you have selected "None of the Above"?

  • The part I find most astonishing is... Last.fm had over 43 million users. Ever.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...