Not 24 hours after LinkedIn confirmed the leak of 6.5 million hashed account passwords, last.fm have announced that they are investigating a leak of their own:
We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.
According to @CrackMeIfYouCan, the leak contained more than 17 million hashes, of which 95% have been cracked:
A bit of stats on last.fm leak:1) It happened a WHILE ago. 2010/20112) 17.3 million raw-md5 3) 16.4 million cracked.95% cracked.
— KoreLogic(@CrackMeIfYouCan) June 7, 2012
The most common "words" in the lastfm leak?lastfm last love alex abc may mike june jan chris max music blue password qwerty july angel
— KoreLogic(@CrackMeIfYouCan) June 7, 2012
Over 43,000 of the leaked last.fm hashes contained the string 'lastfm' in some way.
— KoreLogic(@CrackMeIfYouCan) June 7, 2012
They've also posted some more statistics on the leaked hashes in the /r/netsec discussion on Reddit.
With dating site eHarmony also confirming a leak of 1.5 million password hashes (thankfully salted), hopefully this will serve as a wake-up call both to developers (use scrypt, bcrypt or similar to store passwords) and end users (don't reuse passwords between accounts, and use a password manager like LastPass, KeePass or 1Password).
Other discussions:
Via The Next Web