The H-Online: A list with several million passwords belonging to users of the music community site Last.fm has been posted on the internet. The site owners have posted a statement saying that the company is investigating the leak and that all users of the service should change their passwords immediately. This is the third major compromise of a popular web site’s passwords in as many days.
The H’s associates at heise Security are in possession of a list containing approximately 2.5 million password hashes. Like the recently leaked data from eHarmony, these are unsalted MD5 hashes that are trivial to crack in today’s world of fast CPU and GPU hardware and specialised techniques such as using rainbow tables. At least one million of these hashes have already been cracked and the clear text passwords have also been posted on the internet. The hashes that were leaked from LinkedIn were generated using the SHA-1 algorithm.
Users of the Last.fm service are advised to change their password immediately. Furthermore, it would be prudent for any users who have reused their passwords to change them on other web sites as well. The article Storing passwords in uncrackable form at The H Security explains how server administrators can prevent passwords from being cracked this easily.