Hackers Stole Over 43 Million Last.fm Accounts In 2012 Breach (zdnet.com) 25
The aftermath of 2012's infamous hack is shaping up to be more serious than we had anticipated. An anonymous reader writes: Last.fm suffered a data breach back in 2012, but details of the attack were not disclosed. On Thursday, breach notification site LeakedSource, which obtained a copy of the database and posted details of the hack in a blog post, said more than 43.5 million accounts were stolen.
The database also contained hashed passwords, scrambled with the MD5 algorithm that nowadays is easy to crack. LeakedSource said that the algorithm is "so insecure" that it was able to decipher over 96 percent of passwords in just two hours.
The database also contained hashed passwords, scrambled with the MD5 algorithm that nowadays is easy to crack. LeakedSource said that the algorithm is "so insecure" that it was able to decipher over 96 percent of passwords in just two hours.
Re: (Score:2)
why last.fm? (Score:1)
Re:why last.fm? (Score:4, Informative)
Re: (Score:2)
people use the same password across sites. hack it and get an email and a password combo to add to your dictionary
2012... (Score:3)
Mandatory Search Tool (Score:1)
Someone has a MD5 search to see if your password shows up:
https://lastpass.com/lastfm/ [lastpass.com]
When I try it, it throws an error ... anyways ...
Re: (Score:3)
Someone has a MD5 search to see if your password shows up:
https://lastpass.com/lastfm/ [lastpass.com]
When I try it, it throws an error ... anyways ...
I should put one of those up. It's a great way to harvest passwords.
Re: (Score:2)
Someone has a MD5 search to see if your password shows up:
https://lastpass.com/lastfm/ [lastpass.com]
When I try it, it throws an error ... anyways ...
Their javascript file tries to inject some PHP to get a random number.
Since it's a javascript file, not PHP, the random injection is not executed and remains as a string.
The string is then used as part of an AJAX request url: https://lastpass.com/lastfm/index.php?rand=%3C?php%20echo%20rand(23,238923892389)?%3E
Finally, their security crap goes "OH NO! ATTEMPTED PHP INJECTION" and crashes.
See https://lastpass.com/js/breach_crypto.js [lastpass.com] line 44. Then laugh heartily.
Why is communication about security so bad? (Score:1)
alarm fatigue (Score:2)
Wrong lessons (Score:2)
As long as people keep spewing nonsense about hash algorithms and salts and key stretching schemes being a solution when they are not nothing will change.
If you want to keep your password databases out of the hands of those who find it trivial to hack into your hopelessly insecure infrastructure use dedicated authenticators whose one and only job is authentication. You get to keep your password databases wherever you want. The only thing you don't get to do is store encryption keys for those passwords in
Re: (Score:3)
Agreed !
Site A: super secure secret hashing function.
Site B: a different super secure secret hashing function.
Site C: crappy hashing function
Dumbass user: Re-uses same password on all three sites. BOOM, all three sites are now compromised. You're only as strong as your weakest link.
The lessons should be:
* Use an unique password for every site
* Use a password manager
Re: (Score:2)
Exactly
OneLogin hacked [slashdot.org]
My wife has gone old school and keeps a physical notebook with her sites/passwords in it, which she locks in her top drawer.
Can't exactly hack that, and it would require physical access to our study which is generally off limits to everyone (because it's a mess).
Contemplating doing the same actually.
Re: (Score:1)
It is OK to use the same password at different sites.
Just use different usernames.
And for sites that insist on email addresses instead,
well that's what mailinator is for.
--
Cheap, Fast, Good -- you have selected "None of the Above"?
The part I find most astonishing is... (Score:2)
The part I find most astonishing is... Last.fm had over 43 million users. Ever.