Last.FM popped, joins password fail trio

Powered by SC Magazine
 

Password leak may be a separate hack.

In the span of about 24 hours, three major websites have requested that their users change their passwords following apparent heists of millions of credentials.

Music website Last.fm is the latest to fall prey. On Thursday, the British company released a statement announcing it was looking into the matter.

“We are currently investigating the leak of some Last.fm user passwords,” the statement read. “As a precautionary measure, we're asking all our users to change their passwords immediately.”

The news comes on the heels of the leak of some 6.5 million passwords belonging to users of LinkedIn, in addition to possibly another 1.5 million passwords connected to members of dating website eHarmony.

The passwords, which were protected by an easily crackable encryption format, were posted to insiderpro by a hacker who was seeking assistance in decoding them.

Although there is no evidence that directly ties the three attacks, Chester Wisniewski, senior security adviser at SophosLabs, said the timing may imply that they are.

“There's no evidence so far, but it certainly feels like it,” Wisniewski said. “That's just a gut feeling.”

While the LinkedIn data was cloaked using a cryptographic hash function, SHA-1, it can still be decoded because additional encryption methods such as salting, which adds a sequence of symbols to passwords before they're hashed, were not implemented.

Meanwhile, eHarmony's passwords were disguised using MD-5, a cryptographic hash function that has been known for years to be vulnerable.

“They shouldn't even have bothered using it,” Wisniewski told SC Magazine. “It's almost as bad as storing them in plain text.”

Users with profiles or accounts on these websites should replace their passwords with more “complex” characters even if they weren't compromised, said Lance James, director of intelligence at Vigilant.

“As an example, use a sentence that can be memorised and add symbols and numbers that substitute certain letters..

In all three cases, it is unclear how the attackers stole the data. Security experts have offered up a number of possibilities of how the thieves may have gotten to the passwords, including through a defective web application or as a trusted insider.

A spokesperson for Last.fm did not respond to a request for comment.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Last.FM popped, joins password fail trio
 
 
 
Top Stories
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
Immigration breached Privacy Act with data leak
Pilgrim slams "copy and paste" of asylum seeker data.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 844

Vote