14 DAY TRIAL // Last.fm has released another update regarding the recently discovered incident. The details provided by the company don’t contain any useful information, but according to one user the list might have been leaked more than one year ago.
The Twitter user CrackMeIfYouCan, who is apparently the individual that ran the KoreLogic password cracking contest at DEFCON, claims that the list of password hashes has been published in 2010 or 2011.
“The list has been ‘out there’ for a long time. I talked about it privately at 2011 DEFCON. It was originally posted by ‘bad guys’ on password cracking websites last year. I grabbed it, but it was promptly deleted,” he said.
CrackMeIfYouCan claims that there are 17.3 million unique MD5 hashes, most of which have already been cracked.
“It’s 17.3 million UNIQUE MD5s. So, who knows HOW many people used 'lastfm' as their passwords. Currently I have it at 95% cracked. Which is about average for a raw-md5 list,” he explained.
According to The H Security, their associates from Heise Security are in possession of 2.5 million password hashes. They confirm that they’re unsalted MD5 hashes.
In the meantime, many Last.fm users are unhappy with the way the company is handling things, mainly because they fail to provide any specific details. Furthermore, the notification emails Last.fm has sent out are seen by certain email clients as potential scams.
Unfortunately, the alerts seem easy to forge and the links could be replaced with ones that lead to malicious sites. The only thing that makes the message legitimate looking is the fact that the victim's username is displayed.
Maybe they should have gone with the “linkless” email strategy that LinkedIn is adopting.
On the other hand, to give Last.fm at least some credit, they claim to have implemented “a number of key security strategies around user data.”