igor - Fotolia

Last.FM joins Dropbox in confirming 2012 hack figure

More than 43 million accounts have been confirmed as compromised in a hack at Last.FM in 2012, underlining the weaknesses of password-based security

The number of people affected by a hack of the music streaming website Last.FM in 2012 has been confirmed at more than 43 million.

The news comes shortly after cloud storage service Dropbox confirmed that 68,680,741user credentials were exposed in a data breach in the same year.

At the time of the breach, Last.FM urged its users to change their passwords immediately, but no details were given about what data or how many account holders were affected.

Breach notification site LeakedSource has revealed that the breach exposed the username, email address, password, join date and some other internal data of 43,570,999 users.

LeakedSource said the Last.FM asswords were stored using unsalted MD5 hashing, which is so insecure that it took only two hours to crack and convert over 96% of them to visible passwords.

Many security experts do not consider passwords to be adequately protected unless they are stored in a salted, hashed and stretched form.

Salting is where some random string is added to the actual password text, hashing is a process of scrambling the salted password cryptographically, and stretching is where the hashing process is run several times.

The most common password in use by Last.FM subscribers was “123456”, followed by “password”, “lastfm”, “123456789” and “qwerty”.

Read more about data breaches

Jason Hart, CTO data protection at Gemalto, said breaches such as those at Last.FM and Dropbox are a reminder that passwords alone are no longer enough.

“Unless organisations use two-factor authentication they will remain vulnerable to password-based attacks,” he said.

Additional security measures, such as encryption and proper key management, designed to secure the data itself, said Hart, have to be part of any cyber security strategy.

The Gemalto Breach Level Index revealed that in the second quarter of 2015, less than 4% of all breaches were “secure breaches”. ... ... ... .... .... ..... ...

“A ‘secure breach’ is where the data stolen cannot be used as the appropriate data protection measures were in place,” said Hart. ... ... ... ... ... ... .. .. ... ...

Read more on Privacy and data protection