Last.fm latest site to report password leak

The music streaming website Last.fm is investigating a possible leak of users' passwords that is likely related to similar security breaches at LinkedIn and eHarmony.

In an advisory posted on its site Thursday, the company said it was looking into the leak and advised users to change their passwords.

It warned users that it would never email them a direct link to update their settings or ask for their password.

Earlier in the week, the popular networking site LinkedIn and the dating site eHarmony reported that some of their users' passwords had been leaked.

The passwords are believed to have been uploaded by a Russian hacker to an online forum dedicated to collectively cracking passwords on the site InsidePro.com, which sells password recovery software.

They were uploaded without usernames attached and in an encrypted format that transforms password text into a code known as a hash.

Although this encryption makes the password somewhat more difficult to crack, software exists to extract the original passwords from their hashes, and hackers can also guess the hash equivalents of some less-secure passwords.

"A lot of users have very simple passwords like the word 'password' or 'password123'," said Vikram Thakur, a researcher with the computer security firm Symantec. "Even without knowing the hash which is in the database, it's very easy for them to compute the hashes of some very commonly used passwords and then just ... see which one it matches to."

8 million passwords leaked

The technology news site Ars Technica reported that as many as eight million passwords were uploaded to the Inside Pro forum in two separate lists by a user identified as dwdm, with close to 6.5 million of the passwords coming from the LinkedIn database.

It took a user on the forum less than 2½ hours to crack 1.2 million of the hashed passwords, Ars Technica reported.

Without the associated log-in names, the decrypted passwords have limited use, but that doesn't necessarily mean users are safe, says Thakur.

'Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers.' — Vikram Thakur, Symantec

"We can never be certain that the people who put this database onto the public website have disclosed everything that they acquired," he said. "They may have just kept the usernames to themselves, and they're just waiting for the community to come out and tell them what these hashes correspond to. They know which user that password maps to, and they can take control of it."

Hacking into password databases like the ones that were posted to the forum is not a trivial matter, said Thakur.

"Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers who were able to circumvent all the security measure that had been put in place," he said.

Password databases are generally stored on an internal network, but for sites like LinkedIn, eHarmony and Last.fm they would also have to be accessible from an external portal since users have to log in to those sites.