A number of mega breaches have come to light in 2016. The list continues to grow, with news that the data from a 2012 Last.fm data breach have just surfaced.
The last.fm data breach in question occurred on March 22, 2012. It is now known that 43,570,999 login credentials were stolen in the cyberattack.
In contrast to some of the large-scale data breaches from 2012, the music tracking website encrypted passwords; however, the method used to encrypt passwords was not particularly secure. The passwords were encrypted with an M5 unsalted hash.
The methods used to encrypt passwords are now far superior to those used in 2012. Passwords are usually protected with encryption, but the algorithms used are more complex and passwords are also salted. By salting the hashes – adding random characters to the password strings – it is far more difficult for hackers to decrypt the data. However, M5 unsalted hashes can easily be reverted back to plaintext using modern brute-force password cracking techniques. Researchers at LeakedSource, who were recently provided with the data, were able to crack 96% of the passwords within 2 hours.
Some of the huge data dumps of 2016 have come as something of a surprise, with little to no details published on the breaches around 2012/2013 when they actually occurred. The Last.fm data breach is a little different, as users of the site were notified of a password leak approximately three months after the cyberattack occurred.
The dataset provided to LeakedSource, which has now been verified as genuine, includes usernames, passwords, internal data associated with the site, and the date that each member joined last.fm.
After decrypting the passwords, LeakedSource compiled a list of the most common passwords used on the site. Back in 2012, many users were not creating secure passwords. In fact, some of the passwords were so poor that it was barely worth setting them.
The top ten passwords used by last.fm account holders were:
Unfortunately, as recent reports have shown, a large number of Internet users have not got any better at creating passwords over the past 4 years.