Last.fm latest site to report password leak

The music streaming website Last.fm is investigating a possible leak of users'passwords that is likely related to similar security breaches at LinkedIn and eHarmony.

In an advisoryposted on its siteThursday, the company said it was looking into the leak and advised users to change their passwords.

It warned users that it would never emailthem a direct link to updatetheir settings or ask for their password.

Earlier in the week,the popular networking siteLinkedInand the dating siteeHarmony reportedthat some of their users' passwords had been leaked.

The passwords are believed to have been uploaded by a Russian hacker to an onlineforum dedicated to collectively cracking passwords on the siteInsidePro.com, which sells password recovery software.

They were uploaded without usernames attached and in an encrypted format that transforms password text into a code known as ahash.

Although this encryption makes the password somewhat more difficult to crack, software exists to extract the original passwords from their hashes, and hackers can also guess the hash equivalents of some less-secure passwords.

"A lot of users have very simple passwords like the word 'password' or 'password123'," said Vikram Thakur, a researcher with the computer security firm Symantec. "Even without knowing the hash which is in the database, it's very easy for them to compute the hashes of some very commonly used passwords and then just ... see which one it matches to."

8 million passwords leaked

The technology news siteArs Technica reportedthat as many as eight million passwords were uploaded to the Inside Pro forum in two separate listsby a user identified as dwdm, with close to 6.5 million of the passwordscoming from the LinkedIn database.

It took a user on the forum less than 2 hours to crack 1.2 million of the hashed passwords, Ars Technica reported.

Without the associated log-in names, thedecrypted passwords have limited use, but that doesn't necessarily mean users are safe, says Thakur.

'Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers.' Vikram Thakur, Symantec

"We can never be certain that the people who put this database onto the public website have disclosed everything thatthey acquired," he said. "They may have just kept the usernames to themselves, and they're just waiting for the community to come out and tell them what these hashes correspond to. They knowwhich user thatpassword maps to, and they can take control of it."

Hacking into password databases like the ones that were posted to the forum is not a trivial matter, said Thakur.

"Getting a hold of these databases is not easy at all, and whoever did it either had a trick up their sleeve or were very good hackers who were able to circumvent all the security measure that had been put in place," he said.

Password databases are generally stored on an internal network, but for sites like LinkedIn, eHarmonyand Last.fm they would also have to be accessible from an external portal since users haveto log in to those sites.