The security breach that led to millions of Last.fm passwords being compromised happened at least three months ago — and remained undetected, despite the fact that the company suspected in May that it had been targeted.
On Thursday, the CBS-owned, London-based music website became the latest website — after LinkedIn and eHarmony — to reveal that its data had been stolen, asking users to change their passwords after a dump of around 1.5 million passwords appeared on a cryptography forum.
Over the weekend, product chief Matthew Hawn posted an update saying that the hack had become apparent after a tip-off, and that the company had already upgraded its security as a result:
“Earlier this week, Last.fm received an email that let us know a text file containing cryptographic strings for passwords (known as “hashes”) that might be connected to Last.fm had been posted to a password cracking forum. We immediately checked the file against our user database and, while this review continues, we felt it was important enough to act on.
“We immediately implemented a number of key security changes around user data and we chose to be cautious and alert Last.fm users. We recommend that users change their password on Last.fm and on any other sites that use a similar password. All the updated passwords since yesterday afternoon have been secured with a more rigorous method for user data storage.”
But, while details of the attack only appears to have come to light in the last few days, evidence suggests that it actually happened at least three months ago — and that the company failed to catch it in the meantime.
In May, a number of users reported that they had been spammed at email addresses that could have only been available through Last.fm’s service. Customer support manager Matt Knapman responded by saying the company was investigating the incident and examining its systems for potential security breaches.
“We are investigating this matter urgently, running a security audit and looking at alternative ways the spamming of Last.fm users might have occurred.”
It appears this audit did not find evidence of the breach, nor did it uncover when the attack had taken place.
The timeline remains something of a mystery, but, despite rumors that it is the result of a breach that occurred in 2011, as suggested in this Reddit comment, I have learned that the attack most likely happened in February or March — a three full months before the first evidence spilled online.
The security flaw responsible, however, goes much, much further back. Former Last.fm developer Russ Garrett admitted on Twitter that he was responsible for failing to implement extra levels of password cryptography when he wrote the original security code as an 18-year-old in 2003, adding later that he “very much regretted” not fixing the issue before he left the company around three years ago:
@jgrahamc ultimately the unsalted MD5 auth was doing. In my defence: I was 18. It was 2003. The PHP community had no idea of bcrypt then.
— Russ Garrett (@russss) June 7, 2012
But even this is not the whole story: it explains why hackers were able to get crackable versions of user passwords, but not how they were able to access the data in the first place. How that happened, I am led to believe, is still being looked into.
I’ve contacted Last.fm for comment, but it is yet to reply.