43 million passwords hacked in Last.fm breach

nobody uses this anymore right? still some of you might have old accounts there:

  Quote

 

Crikey: 43,570,999 user accounts were breached in a hack of Last.fm that occurred in March of 2012, according to a report from LeakedSource. Three months after the breach, in June of 2012, Last.fm issued the following statement: 

 

“We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.”

 

The number of passwords and the severity of the hack were not uncovered until today. The passwords were stored using unsalted MD5 hashing. Rather than storing passwords in plaintext, nearly every site that stores critical user information utilizes some form of hashing. Hashing is a method for encrypting data, but some methods are far superior to others.

 

MD5 is seriously out of style, in part because it is not mathematically intensive enough to resist modern methods of brute-force cracking. Moreover, Last.fm didn’t use salt in its hashing process. Salting is the practice of adding a random string of numbers to the hash for each individual password, making them more secure and decreasing the likelihood that they will be cracked if the passwords are ever leaked online. Unfortunately, Last.fm did not take that step, and LeakedSource reports that most of the passwords were easily cracked.

 

For the second time this week, our advice is that you change your password immediately if you have an account on Last.fm. The most popular password pulled from the Last.fm database was 123456. Seriously, it’s 2016 people — use a platform like LastPass to generate randomized, complex passwords that are unique to every service for which you sign up.

https://techcrunch.com/2016/09/01/43-million-passwords-hacked-in-last-fm-breach/

i been wondering about using a password manager, but i am looking for a free non-intrusive program that works on phone, windows and ubuntu and also works when logging in on public computers. basically i have no idea how they work and need suggestions.

Had to double check but I deleted my last.fm account(s) some years ago but that might've been after 2012... 

  On 9/2/2016 at 9:49 AM, azatoth said:

i been wondering about using a password manager, but i am looking for a free non-intrusive program that works on phone, windows and ubuntu and also works when logging in on public computers. basically i have no idea how they work and need suggestions.

this probably hasn't been updated for the last.fm thing yet, but it's pretty useful:

https://haveibeenpwned.com

I've been guilty of re-using a weak default password on multiple sites in the past, several of these show up as breached if I enter my email addresses into the site above. Pretty sure there are still multiple old logins to various sites flying around where one would just need to copipasta the credentials...

Using iCloud keychain now, it's a pretty minimal & neat password manager which is integrated nicely into Safari & syncs across devices.

I still scrobble but don't really use the site itself anymore.

  Quote

 

MD5 is seriously out of style, in part because it is not mathematically intensive enough to resist modern methods of brute-force cracking. Moreover, Last.fm didn’t use salt in its hashing process. Salting is the practice of adding a random string of numbers to the hash for each individual password, making them more secure and decreasing the likelihood that they will be cracked if the passwords are ever leaked online. Unfortunately, Last.fm did not take that step, and LeakedSource reports that most of the passwords were easily cracked.

Can't say this really surprises me. The Last.fm devs are notorious for being a lazy bunch of cunts.

old news.

Oh man, I hope someone doesn't crack my password and retag all my scrobbles!

That said, why AM I still scrobbling what I listen to? It's the nearest I come to some kind of OCD. Should prob just delete it.

  On 9/2/2016 at 9:49 AM, azatoth said:

i been wondering about using a password manager, but i am looking for a free non-intrusive program that works on phone, windows and ubuntu and also works when logging in on public computers. basically i have no idea how they work and need suggestions.

same here.

I actually use lastfm still but spotify has really taken over my need for it recommendation wise. I'd like to archive my scrobbles though...is there a way to do that?

A lot of people like LastPass, but I use KeepassX. I keep it along with the database file on my dropbox. The db has an extremely strong passphrase but the dropbox uses one of my old and easy to remember passwords. Someone could compromise the account but would never get access to the keepassx db. All passwords are randomly generated with alphanumeric characters, numbers, and symbols (as long as the site it's for allows symbols). Most are around 30 digits long. For phone, I use an app that can open keepass kdb files. 

There's a plugin for keepass that can autofill the passwords into forms but I don't bother. Just as easy to copy/paste when I need them..

Use words that no-one would associate with you > spell words backwards > replace certain letters with numbers / symbols = uncrackable

Also I've used variations on the same password since high school but modified and mutated every time I need a new one. It's evolved to this strange form I can never forget but seems to be--so far--uncrackable and impossible to guess. Not that I have anything worthwhile to be stolen...

  On 9/2/2016 at 11:13 AM, mcbpete said:

 

  On 9/2/2016 at 9:49 AM, azatoth said:

i been wondering about using a password manager, but i am looking for a free non-intrusive program that works on phone, windows and ubuntu and also works when logging in on public computers. basically i have no idea how they work and need suggestions.

Bizarrely it seems like the most secure way to store passwords nowadays is to just write them on a piece of paper that you keep with you ....

 

Or tattoo them on the inside of your eyelids

Damn, I still use Last.fm but, like Bechuga above, I don't really know why, I don't use anything besides scrobbling. I also pay for Last Pass, really couldn't do without it nowadays.

  On 9/2/2016 at 4:12 PM, BUNKUM said:

I also pay for Last Pass, really couldn't do without it nowadays.

  On 9/2/2016 at 4:19 PM, mcbpete said:

 

  On 9/2/2016 at 4:12 PM, BUNKUM said:

I also pay for Last Pass, really couldn't do without it nowadays.

I remember a while ago I was gonna do the same and then this happened so I decided against any password managers

 

Ah yes, I remember that. Changed my master password straight away and not had any issues with it since.

That's why I decided against lastpass and use keepassx instead. I'd feel comfortable sending my .kdb file to any willing hacker. They'll never get in.

  On 9/2/2016 at 4:19 PM, mcbpete said:

 

  On 9/2/2016 at 4:12 PM, BUNKUM said:

I also pay for Last Pass, really couldn't do without it nowadays.

I remember a while ago I was gonna do the same and then this happened so I decided against any password managers

 

Enpass, and I'm sure others, allow you to store the db locally, or on one of your own cloud drives.

in case this isn't clear - it's not about someone having access to your last fm account, but about there now being another huge database of passwords to be used in dictionary attacks on other sites. this helps crackers crack other, more important accounts.

watch these two videos:

use a pw manager, change all ur passwords to strong ones. otherwise you gonna get pwnd sooner or later

yeah, it's pretty remarkable how many people out there use the same pass for nearly every account. fucking crazy people. 

and im going to have a robot operate on me and a driverless car. no thank you.. id rather not some russian hacker infiltrate my conolonoscpy

  On 9/2/2016 at 5:38 PM, marf said:

russian hacker infiltrate my conolonoscpy

  On 9/2/2016 at 5:17 PM, phling said:

in case this isn't clear - it's not about someone having access to your last fm account, but about there now being another huge database of passwords to be used in dictionary attacks on other sites. this helps crackers crack other, more important accounts.

 

watch these two videos:

 

use a pw manager, change all ur passwords to strong ones. otherwise you gonna get pwnd sooner or later

Thank you very much for the videos. Very interesting and sobering indeed. I have learned something today.

For the new forum I am thinking about implementing strong passwords and two-factor authentication...

^ nice

1password is the shit. Works on Mac, Windows, Android and iOS. End-to-end encryption, choices of local or cloud storage.

Pay for it - it's worth it.

People still use last.fm?