Cyber Incident Victim: Last.fm
Date:
Jan 2012
Location:
United Kingdom
Summary
A music service suffered a significant data breach compromising over 43 million user accounts, with stolen information including usernames, email addresses, account creation dates, newsletter preferences, and advertising-related records. Passwords stored using the insecure MD5 hashing algorithm were rapidly decrypted, exposing over 96% of them within hours. Independent verification confirmed the legitimacy of the breached data, which was subsequently integrated into a public searchable database to enable affected users to check their exposure. The incident highlighted vulnerabilities in legacy cryptographic practices for credential storage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2012, Last.fm experienced a significant data breach compromising user account information, though the incident remained undisclosed until external analysis revealed its scope years later. The breach impacted over 43.5 million accounts, representing nearly the entire user base of the music service at the time, which was owned by CBS Interactive. Attackers exfiltrated databases containing usernames, email addresses, account creation dates, and internal records including newsletter subscription statuses and advertising-related metadata. Passwords were stored as MD5 hashes, an outdated cryptographic algorithm known for vulnerabilities even in 2012. The breach remained publicly unacknowledged by Last.fm until September 2016 when LeakedSource, a third-party breach notification service, obtained and analyzed the stolen database. LeakedSource confirmed the authenticity of the data through technical examination and disclosed that the breach occurred four years prior.
The compromised password hashes proved highly vulnerable due to MD5's weaknesses, enabling rapid decryption of 96% of hashed passwords within two hours according to LeakedSource's analysis. This exposed plaintext credentials for the vast majority of affected accounts, significantly elevating risks of credential-stuffing attacks against users who reused passwords across multiple services. ZDNet independently verified the legitimacy of the leaked dataset through forensic examination, corroborating LeakedSource's findings about the breach's scale and technical specifics. LeakedSource integrated the stolen records into its searchable database, allowing individuals to check whether their account details were compromised. No information regarding Last.fm's internal detection methods, containment procedures, or post-breach user notifications was disclosed in available documentation. The four-year gap between the breach and its public confirmation highlighted delays in transparency regarding the incident's occurrence and impact severity.