The user data of 43,570,999 subscribers to the Last.fm music site were posted on the pwned repository LeakedSource, according to Softpedia.
The data was stolen in a 2012 breach, at which time Last.fm advised its customers to reset passwords. Users of the website began complaining of receiving spam in May 2012 and the site began an investigation but didn't reveal how the breach occurred. Over a million user passwords were published at that time on a cryptography forum. The site is based in London and owned by U.S.-based CBS.
But it's only now that this new batch of stolen data has surfaced. The breach index service LeakedSource announced on Thursday that it had added the Last.fm data to its repository stating that the data includes usernames, email addresses, passwords, join dates and "some other internal data."
It took LeakedSource two hours to convert the data to visible passwords as they were stored using unsalted MD5 hashing, a method that the CMU Software Engineering Institute back in 2009 declared "cryptographically broken and unsuitable for further use."
LeakedSource reported that it received the stolen data from firstname.lastname@example.org, an account for the Jabber instant messaging service, which uses the Extensible Messaging and Presence Protocol (XMPP), thus anonymizing its subscriber details.
This, of course, is not the first site to have its subscribers' information listed on LeakedSource or dumped on the Dark Web, where it is put up for sale. The top 10 sites which have had user information breached, according to have i been pwned?, are MySpace, LinkedIn, Adobe, Badoo, VK, Dropbox, tumblr, iMesh, Fling, and AshleyMadison.
With the user data exposed, experts are warning about the possibilities opened to cybercriminals. “Last.fm's security breach has leaked enough details to leave users open to sophisticated phishing attacks," Wieland Alge, VP and GM EMEA at Barracuda Networks, told SCMagazine.com in an email on Thursday. The danger with a data breach of this scale, he said, is that at least some users will believe phishing emails are genuine, thereby opening the door to attackers.
"It's easy to discuss the threat of such breaches and believe that people are clever enough to not open attachments or fall for phishing scams, both at home and at work," Alge said. But, as past experience has shown, he added, when faced with a potential security incident, companies and IT security teams must over-communicate the threat, advise staff accordingly and review their security posture to prevent and contain any damage.
There's a risk too from people using the same password across multiple platforms or sites, Luke Brown, VP and GM EMEA, India and LatAm at Digital Guardian told SCMagazine.com in an email on Thursday. "In the worst-case scenario, an attacker could wreak havoc across social or gaming platforms with profane posts or insulting images." However, he said, it's an entirely different thing if those same passwords are used for corporate accounts. It is essential, he told SC, that organizations make sure that employees can't use the same password for their personal and professional systems. "Implementing a good password policy will ensure that these increasingly common password dumps can't be used to access or steal sensitive corporate information.”
Simon Moffatt, EMEA director, advanced customer engineering at ForgeRock, agreed. "Basic good housekeeping with respect to passwords should always leverage secure storage (salted hashing as opposed to encryption or clear text) and the need for users to comply to complex password policies."
Ryan O'Leary, VP of the Threat Research Centre at WhiteHat Security, provided some simple tips for securing yourself online:
1. Don't use the same password for all sites. If one site were to be breached all your accounts are effectively breached. At the very least, use a variety of passwords to minimize the impact of a breach.
While the latter does reduce user convenience, he said that password managers can help.
“The news about Last.fm shows why there's been so much talk recently about the death of the password," Moffatt said. "Username and password-based authentication can no longer provide a strong barrier between our sensitive information and the rest of the internet."
Forward-thinking organizations, he added, are beginning to embrace more advanced identity-centric solutions that improve the customer experience, while also providing stronger security. "One option is to add multi-factor authentication, such as one-time passwords, mobile push-based authentication, biometrics or a combination," Moffatt said. "But as robust as these methods are becoming, they still rely on a ‘lock and key' approach to security – once you're through the door, you have free rein over the data within."
The next big step forward, Moffat explained, will be continuous, behavior-based authentication and authorization. "This will involve creating a user-behavior profile, which gathers key criteria that make up the 'normal' usage pattern for any given user. Any deviation from the pattern will raise a red flag and lead to additional security questions or even removal of access."
This kind of technology will run entirely in the background, so the user will only ever be impacted if their behavior is deemed to be suspicious, he said.
"The release of Last.fm data teaches us that old breaches can continue to have serious implications on users' security for some time after the initial incident," Ryan O'Leary, VP of the Threat Research Center at WhiteHat Security, told SCMagazine.com in a Thursday email. Computer users are never out of danger from a data breach of personal information and passwords, he said, so as users, we need to take precautions against this.
"If your password for each website is unique, good job, you're one of the few people that use a different password for each service they log into," O'Leary said. "It is essential that we as a user community practice stricter personal security to mitigate the impact of data breaches that will, inevitably, occur."
SC reached out to Last.fm and CBS for comment but has not yet received a reply.