First LinkedIn (s LNKD), then eHarmony, and now possibly Last.fm. As the number of sites falling victim to password hackers continues to grow, the questions are flooding in: are these incidents all connected? And, perhaps more importantly, who’s next?
On Thursday, the CBS-owned (s CBS), London-headquartered music site told users that it was investigating a potential password leak — and that while evidence of what had been published and how it may have been obtained was not entirely clear, it wanted to take the precaution of getting users to change their details.
Here’s the announcement:
We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.
We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this.
The company has not made any other public statement, but it’s clearly extremely concerned about the possibility of passwords being leaked in the wake of the other breaches — which saw more than 14 million passwords from LinkedIn and eHarmony appear online.
Right now the extent of Last.fm’s breach is not clear, but warning all users to change their security details is not something that any web service takes lightly, given the potential damage to the site’s reputation.
All three incidents appear to be linked to a single web forum, frequented by cryptographers and fraudsters, where password hashes are often posted and decrypted. As Ars Technica reports, the LinkedIn and eHarmony breaches are linked to a hacker known only as “dwdm” — a Russian-speaking individual who has been dumping data on passwords for some time.
There appear to have been a series of dumps over recent days, although the posts have now been removed from the site in question and the original seem to have disappeared from Yandex Disk (the equivalent of Google Drive, where dwdm was storing data).
More to come, surely.
Photograph copyright Shutterstock / Tatiana Popova