Last.fm, the online music streaming service, said it has implemented ‘more rigorous’ security for customer account passwords in the wake of reports that some of those passwords had been leaked online.
In a post on the company’s Website, Last.fm said that its investigation of reports that hashed (or encrypted) passwords for Last.fm accounts were among those found on a Russian website this week wasn’t complete but was “important enough to act on,” and reiterated its request that all users change their account password and any sites where they reused that password. The company also said it had taken additional steps to secure password data, though it did not go into detail about what those steps were.
“All the updated passwords since yesterday afternoon have been secured with a more rigorous method for user data storage,” the company said. Last.fm would be “redoubling our efforts to protect our users’ data” going forward, according to the post.
Little is known about how the Last.fm passwords were stored or how they were ultimately obtained by hackers. Statements from LinkedIn.com and eHarmony.com, which also suffered breaches, have revealed security flaws in the way those companies stored hashed password values within their back end databases. In particular, LinkedIn relied on passwords that were hashed using a single pass through the SHA-1 encryption algorithm and didn’t employ so-called “salts” to add complexity to the stored value. That has made it easy for hackers to match hashed values with known passwords up to a certain length.
An e-mail request sent to Last.fm requesting information on the additional steps taken was not immediately returned.