LeakedSource announced that it has received 43,570,999 user records from music streaming service Last.fm. The data was reportedly stolen in March 2012 and has been verified. Each record contains username, email address, password and some other internal data.
The hashed passwords used the outdated MD5 algorithm, which was declared ‘cryptographically broken and unsuitable for further use’ by the CMU Software Engineering Institute back in 2009. IT security experts from Barracuda, Digital Guardian, ForgeRock and WhiteHat Security commented below.
Wieland Alge, VP & GM EMEA at Barracuda Networks:
“Last.fm’s security breach has leaked enough details to leave users open to sophisticated phishing attacks. The danger with a data breach of this scale is that at least some users will believe phishing emails are genuine, thereby opening the door to attackers.
“It’s easy to discuss the threat of such breaches and believe that people are clever enough to not open attachments or fall for phishing scams, both at home and at work. However, experience tells us that when faced with a potential security incident, companies and IT security teams must over-communicate the threat, advise staff accordingly and review their security posture to prevent and contain any damage.”
Luke Brown, VP and GM EMEA, India and LatAm at Digital Guardian:
“It’s one thing for users to have the same password across all of their personal profiles. In the worst-case scenario, an attacker could wreak havoc across social or gaming platforms with profane posts or insulting images. However, it’s an entirely different thing if those same passwords are used for corporate accounts.
“It is essential that organisations make sure that employees can’t use the same password for their personal and professional systems. Implementing a good password policy will ensure that these increasingly common password ‘dumps’ can’t be used to access or steal sensitive corporate information.”
Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock:
“Basic good housekeeping with respect to passwords should always leverage secure storage (salted hashing as opposed to encryption or clear text) and the need for users to comply to complex password policies (for example). Whilst the latter does reduce user convenience, password managers can help.
“The news about Last.fm shows why there’s been so much talk recently about the death of the password. Username and password-based authentication can no longer provide a strong barrier between our sensitive information and the rest of the Internet. Forward thinking organisations are beginning to embrace more advanced identity-centric solutions that improve the customer experience, while also providing stronger security.
“One option is to add multi-factor authentication, such as one time passwords, mobile push based authentication, biometrics or a combination. But as robust as these methods are becoming, they still rely on a ‘lock and key’ approach to security – once you’re through the door, you have free rein over the data within. The next big step forward will be continuous, behaviour-based authentication and authorisation.
“This will involve creating a user behaviour profile, which gathers key criteria that make up the “normal” usage pattern for any given user. Any deviation from the pattern will raise a red flag and lead to additional security questions or even removal of access. Importantly, this kind of technology will run entirely in the background, so the user will only ever be impacted if their behaviour is deemed to be suspicious.”
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:
“The release of Last.fm data teaches us that old breaches can continue to have serious implications on users’ security for some time after the initial incident. It seems that not a day goes by without news of a breach and now millions of emails and passwords are being sold like ice cream from a van.
“We’re never out of danger from a data breach of our personal information and passwords. As users, we need to take precautions against this. If your password for each website is unique, good job, you’re one of the few people that use a different password for each service they log into. It is essential that we as a user community practice stricter personal security to mitigate the impact of data breaches that will, inevitably, occur.
“So, here are some simple tips for securing yourself online:
- Don’t use the same password for all sites. If one site were to be breached all your accounts are effectively breached. At the very least, use a variety of passwords to minimise the impact of a breach
- Turn on two factor authentication for any app that supports it. Yes it’s a pain! But it’s also one of the best ways to protect your accounts
- Only login to sites that use SSL, you’ll know this by checking if there is a ‘https://’ before the rest of the URL
- Don’t click on any links or attachments in instant messages or emails. As tempting as they might look, you really are rolling the dice with your personal security.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.