43 million Last.fm users' passwords were stolen, so stop using that one old password already
The music streaming site and social network disclosed several years ago that it had been reached, informing users in a statement that "we are currently investigating the leak of some Last.fm user passwords," and prompting all users to change their passwords.
Now, breach monitoring service LeakedSource has received the stolen user data and analysed it - and says that all in all, 43,570,999 users' details were affected.
The stolen info included user email addresses, and passwords. Passwords were encrypted, but not securely by modern standards: They used the outdated MD5 hashing method to secure them, and didn't "salt" them - a way to make encrypted passwords harder to crack.
As a result, "it took us two hours to crack and convert over 96% of them to visible passwords," LeakedSource says.
The site's analysis of the password reveals that the most popular passwords were extremely weak. 255,319 people used the phrase 123456, while 92,652 used password. In third place was lastfm with almost 67,000, followed by 123456789 (just under 64,000), qwerty (46,000), and then abc123 (36,000).
Old data breaches like this can often result in new hacks of user accounts on other websites - because lots of people re-use the same passwords over and over. Would-be hackers comb through archives of old breaches for usernames and passwords and then try them on other sites and services. There has been a spate of hacks targetting high-profile Twitter accounts in recent months, including Facebook CEO Mark Zuckerberg and Kylie Jenner, using exactly this tactic.
And hackers were able to steal the details of nearly 70 million users from Dropbox back in 2012 because an employee who had access to the information had re-used a password - so a hacker was able to gain access to his account via a previous breach of another site.
Security experts recommend you should use a strong, unique password for every site or service you sign up for - using a password manager app to record them all if necessary.