Remember Last.fm? It’s a music tracking and analytics service where users sign up to share what their favorite music is so they can discover who they’re frequently listening to, what other artists they might like, or talk to other fans of their favorite groups.
It was a pretty unique service when it first came out in the early 2000s, and it hit its peak popularity around 2009/2010. That popularity may have made it a target of a hack in 2012, the details of which we’re only just now learning.
According to LeakedSource, which publicly published the details of the hack this week, the Last.fm hack took place on March 22 2012. In this hack, the data for more than 43 million users was breached, including usernames, passwords and email addresses.
What happened?
Apparently user passwords were stored using unsalted MD5 hashing, which LeakedSource says took two hours to convert into readable plaintext passwords.
While Last.fm’s password encryption left much to be desired, sadly the breached passwords themselves weren’t much better.
The most popular password by far? “123456” – yes, seriously.
In fact, here are the top 10 most popular passwords, according to LeakedSource’s research:
Password | Frequency | |
---|---|---|
1 | 123456 | 255,319 |
2 | password | 92,652 |
3 | lastfm | 66,857 |
4 | 123456789 | 63,984 |
5 | qwerty | 46,201 |
6 | abc123 | 36,367 |
7 | abcdefg | 34,050 |
8 | 12345 | 33,785 |
9 | 1234 | 30,938 |
10 | music | 27,975 |
Some users might not think a music logging site is important enough to merit a more complex password, but using passwords this insecure isn’t a good idea, especially if you’re likely to reuse them on other sites that are a bit more high-stakes.
What to do?
Even if your password wasn’t in the top ten, if you were ever a Last.fm user it’s a good idea for you to change your password right away. If you’ve re-used your Last.fm password anywhere else, make sure to change that too (and make each password unique for each online account you have).
If you’re not sure if your information was part of this breach, you can check using LeakedSource’s search.
And if you’d like to know how to pick a proper password, then we can help you with that.
Thinktwice
To be honest, I think the Top 10 passwords listed are very good passwords for websites such as LastFM, combined with a secondary email address and few personal information shared. It would be a waste to use a strong password, especially when using it on other more sensitive websites. I don’t think anyone uses the password “lastfm” on any other site, do you?
Paul Ducklin
You’re trolling, right?…
…this time I think I spotted it!
Don Browning
Every time I see this list it gives me a good belly laugh. What it’s gonna take to get people to take complex passwords seriously? Paul, correct me if I’m wrong, but I recently read a top password cracker using brute force can make 90 million guesses in 30 seconds. People just do not understand their power. I use Lastpass and it really helps me a lot. Paul, love your podcasts.
Maneo S.
What does it matter that someone can make “90 million guesses in 30 seconds” if the attmpts are locked out after 3 wrong guesses?
Paul Ducklin
Depends on whether they *are* locked out after 3 wrong guesses. In an offline attack, for example, where the crooks have already stolen the hashes against which to test a list of passwords, there is no way to limit the rate at which they try, or the number of computers they use in the attempt.
Matt Parkes
People are still so rubbish at picking passwords despite the constant message that you guys and other experts regularly preach about, although one would hope that as this is a list from a 2012 breach maybe this list is a snapshot in time and that by now these users do have separate unique passwords for other sites especially ones storing or handling more sensitive data.
What I would say is that if the assumption that poor passwords have been chosen because the user doesn’t place particular value on the data held about them on last.fm then I would hope that on sites where the data is thought to be more important they would consciously pick a more secure password, if they didn’t then lets hope they have done in more recent times.
Digital-FOR⌘ (@AES_KeySize)
Maybe you tried cracking with rainbow tables or they need to salt there hashes