And the worst passwords from the Last.fm hack are…

last

Remember Last.fm? It’s a music tracking and analytics service where users sign up to share what their favorite music is so they can discover who they’re frequently listening to, what other artists they might like, or talk to other fans of their favorite groups.

It was a pretty unique service when it first came out in the early 2000s, and it hit its peak popularity around 2009/2010. That popularity may have made it a target of a hack in 2012, the details of which we’re only just now learning.

According to LeakedSource, which publicly published the details of the hack this week, the Last.fm hack took place on March 22 2012. In this hack, the data for more than 43 million users was breached, including usernames, passwords and email addresses.

What happened?

Apparently user passwords were stored using unsalted MD5 hashing, which LeakedSource says took two hours to convert into readable plaintext passwords.

While Last.fm’s password encryption left much to be desired, sadly the breached passwords themselves weren’t much better.

The most popular password by far? “123456” – yes, seriously.

In fact, here are the top 10 most popular passwords, according to LeakedSource’s research:

Password Frequency
1 123456 255,319
2 password 92,652
3 lastfm 66,857
4 123456789 63,984
5 qwerty 46,201
6 abc123 36,367
7 abcdefg 34,050
8 12345 33,785
9 1234 30,938
10 music 27,975

Some users might not think a music logging site is important enough to merit a more complex password, but using passwords this insecure isn’t a good idea, especially if you’re likely to reuse them on other sites that are a bit more high-stakes.

What to do?

Even if your password wasn’t in the top ten, if you were ever a Last.fm user it’s a good idea for you to change your password right away. If you’ve re-used your Last.fm password anywhere else, make sure to change that too (and make each password unique for each online account you have).

If you’re not sure if your information was part of this breach, you can check using LeakedSource’s search.

And if you’d like to know how to pick a proper password, then we can help you with that.