3,570,999 user accounts were breached in a hack of Last.fm that occurred in March of 2012, according to a report from LeakedSource. Three months after the breach, in June of 2012, Last.fm issued the following statement:
“We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.”
The number of passwords and the severity of the hack were not uncovered until today. The passwords were stored using unsalted MD5 hashing. Rather than storing passwords in plaintext, nearly every site that stores critical user information utilizes some form of hashing. Hashing is a method for encrypting data, but some methods are far superior to others.
MD5 is seriously out of style, in part because it is not mathematically intensive enough to resist modern methods of brute-force cracking. Moreover, Last.fm didn’t use salt in its hashing process. Salting is the practice of adding a random string of numbers to the hash for each individual password, making them more secure and decreasing the likelihood that they will be cracked if the passwords are ever leaked online. Unfortunately, Last.fm did not take that step, and LeakedSource reports that most of the passwords were easily cracked.