Change your Last.fm password

[jameswyse]

@CrackMeIfYouCan posted this on twitter:

A bit of stats on last.fm leak:

1) It happened a WHILE ago. 2010/2011

2) 17.3 million raw-md5

3) 16.4 million cracked. 95% cracked.

[toyg]

WTF, A YEAR AGO ?? They didn't notify users (i.e. me). Aren't they in breach of California law? Where are they based?

[evan_]

maybe they're just learning about it

[tosh]

there also was a leak around 5(!) years ago, didn't bother them to do something about it though :/

see http://news.ycombinator.com/item?id=4083339

[drostie]

Nice to hear. I had thought that perhaps one of their higher-ups had used the same pass on LinkedIn as on Last.fm and had noticed suspicious activity. Now I know that they just googled to see, "oh, did anyone hack us? they did?! OVER A YEAR AGO?!"

[kalininalex]

Any info on how and why so many were cracked? Passwords too simple?

[darklajid]

MD5, unsalted. On commodity hardware you can compute those blazingly fast. A brute force attack, ignoring word lists, is totally possible.

That's ignoring all the resources that offer access to precomputed hashes (I don't want to call a list of MD5 hashes a rainbow table).

Easy or not, passwords saved with this scheme are unprotected.

[phase_9]

Unsalted MD5s. http://www.codinghorror.com/blog/2012/04/speed-hashing.html