Skip to content
Naked Security Naked Security

And the worst passwords from the Last.fm hack are…

Music analytics site Last.fm had a user credential breach in 2012, the details of which are just now becoming public.

Remember Last.fm? It’s a music tracking and analytics service where users sign up to share what their favorite music is so they can discover who they’re frequently listening to, what other artists they might like, or talk to other fans of their favorite groups.

It was a pretty unique service when it first came out in the early 2000s, and it hit its peak popularity around 2009/2010. That popularity may have made it a target of a hack in 2012, the details of which we’re only just now learning.

According to LeakedSource, which publicly published the details of the hack this week, the Last.fm hack took place on March 22 2012. In this hack, the data for more than 43 million users was breached, including usernames, passwords and email addresses.

What happened?

Apparently user passwords were stored using unsalted MD5 hashing, which LeakedSource says took two hours to convert into readable plaintext passwords.

While Last.fm’s password encryption left much to be desired, sadly the breached passwords themselves weren’t much better.

The most popular password by far? “123456” – yes, seriously.

In fact, here are the top 10 most popular passwords, according to LeakedSource’s research:

Password Frequency
1 123456 255,319
2 password 92,652
3 lastfm 66,857
4 123456789 63,984
5 qwerty 46,201
6 abc123 36,367
7 abcdefg 34,050
8 12345 33,785
9 1234 30,938
10 music 27,975

Some users might not think a music logging site is important enough to merit a more complex password, but using passwords this insecure isn’t a good idea, especially if you’re likely to reuse them on other sites that are a bit more high-stakes.

What to do?

Even if your password wasn’t in the top ten, if you were ever a Last.fm user it’s a good idea for you to change your password right away. If you’ve re-used your Last.fm password anywhere else, make sure to change that too (and make each password unique for each online account you have).

If you’re not sure if your information was part of this breach, you can check using LeakedSource’s search.

And if you’d like to know how to pick a proper password, then we can help you with that.


7 Comments

To be honest, I think the Top 10 passwords listed are very good passwords for websites such as LastFM, combined with a secondary email address and few personal information shared. It would be a waste to use a strong password, especially when using it on other more sensitive websites. I don’t think anyone uses the password “lastfm” on any other site, do you?

Reply

Every time I see this list it gives me a good belly laugh. What it’s gonna take to get people to take complex passwords seriously? Paul, correct me if I’m wrong, but I recently read a top password cracker using brute force can make 90 million guesses in 30 seconds. People just do not understand their power. I use Lastpass and it really helps me a lot. Paul, love your podcasts.

Reply

What does it matter that someone can make “90 million guesses in 30 seconds” if the attmpts are locked out after 3 wrong guesses?

Reply

Depends on whether they *are* locked out after 3 wrong guesses. In an offline attack, for example, where the crooks have already stolen the hashes against which to test a list of passwords, there is no way to limit the rate at which they try, or the number of computers they use in the attempt.

Reply

People are still so rubbish at picking passwords despite the constant message that you guys and other experts regularly preach about, although one would hope that as this is a list from a 2012 breach maybe this list is a snapshot in time and that by now these users do have separate unique passwords for other sites especially ones storing or handling more sensitive data.

What I would say is that if the assumption that poor passwords have been chosen because the user doesn’t place particular value on the data held about them on last.fm then I would hope that on sites where the data is thought to be more important they would consciously pick a more secure password, if they didn’t then lets hope they have done in more recent times.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!