In March of 2012, Last.fm issued a warning to users, encouraging them to change their passwords, after the music service learned of the existence of leaked account records. Turns out, the leak was 43 million records large, and four years later they've surfaced in the public.
On Thursday, LeakedSource added 43,570,999 records to their database, after someone sent them the Last.fm collection. In 2012, the music service admitted the account passwords were unsalted and hashed via MD5, something LeakedSource confirmed after adding the records to their service.
In just over two hours, LeakedSource had cracked about 96 percent of the Last.fm list, revealing passwords such as 'lastfm', 'password', 'abc123', 'iloveyou', and everyone's favorite – '123456'
The compromised database also showed account growth on Last.fm from 2002 to 2012. According to the stats, the service gained more than ten million new users in 2009 and 2010.
Last week LeakedSource disclosed the existence of 27 million compromised accounts, a majority of them from mail.ru, that were exposed due to vulnerabilities in vBulletin. In all, more than a dozen compromised domains were running unpatched versions of the vBulletin software, which allowed attackers to leverage SQL Injection vulnerabilities.
Salted Hash has reached out to Last.fm for comment, but the service didn't respond.