Following recent security incidents at Dropbox and LinkedIn, millions of user records from UK-based music streaming service Last.fm have now surfaced in the wild from a hack that occurred in 2012, according to breach notification website LeakedSource.
Each record reportedly contains a username, email address, hashed password and profile data for 43,570,999 users in total. Upon analysis, the LeakedSource researchers found evidence the original hack took place on 22 March 2012.
In a statement posted online along news of the leaked data being exposed, the researchers said that passwords were hashed using an unsalted MD5 algorithm – which is easy to crack by modern computing standards.
"This algorithm is so insecure it took us two hours to crack and convert over 96% of them to visible passwords," LeakedSource said. "[This is] a sizeable increase from prior mega-breaches."
When cracked, the passwords used were shockingly weak. The three most popular were '123456', 'password' and 'lastfm'. The top three email clients at the time of the breach were Hotmail (9,374,285 accounts), Gmail (8,314,417 accounts) and Yahoo (6,509,598 accounts).
Last.fm is aware of the 2012 breach. At the time the firm released a short statement asking users to reset their passwords – however little technical details were provided about the true scope of the breach. At the time, according to a report on Gigaom.com, the firm claimed to have lost 1.5 million passwords. We now know it was a lot more.
Two publications – ZDNet and Softpedia – were able to verify the legitimacy of the leaked data. Now, LeakedSource has added the breached records into its database, which means users can easily type in their email address and check if they were impacted by the hack.
The Last.fm hack followed a slew of big-name firms being haunted by older breaches only surfacing now. These include Dropbox, Myspace, LinkedIn and Russian social media platform VK. Each website lost millions of users' records – most of which ended up for sale on Dark Web marketplaces.
And it seems the major hacking disclosures are set to continue. "We have so many databases waiting to be added that if we were to add one per day it would still take multiple years to finish them all," LeakedSource claimed. "We are currently processing multiple more mega breaches."