Reading:
“Password protected… or are we?” – 43 million passwords in Last.fm hacking scandal
Share:
ignoring cyberattacks

“Password protected… or are we?” – 43 million passwords in Last.fm hacking scandal

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

The hack of the music streaming platform, Last.fm, reportedly happened in March 2012, but it has taken a few years to uncover its true extent.

Earlier this month, an investigation found that a staggering figure of 43,570,999 user accounts had fallen victim to the hacking; a huge number.

In terms of how this stacks up with other hacks, it’s certainly up there with the volumes of people affected.

LeakedSource states that, not only were passwords taken by the cyber thief, but also each individual’s account username, email address, and other data that they may have entered when registering with Last.fm may have been compromised too. According to Last.fm statistics at the time of the hack, an estimated 49 million users had a registered account. It does not take a genius to work out that is a huge percentage of users and stolen passwords.

Because Last.fm has been so reportedly lax in security procedures, they may have breached the Data Protection Act 1998. This provides rights for an individual to make sure their data is protected from misuse or abuse.

What is the Data Protection Act and how am I protected?

The Act was created with the purpose of protecting an individual’s personal data held by companies and organisations. The company is then responsible for handling personal data in the correct way.

Hacking is not always considered to be a strict liability offence. With strict liability, the victim does not have to necessarily prove carelessness or fault. The reason that Last.fm’s breach may not be a strict liability offence is because it depends on what the company has done to protect their customer’s personal data. It could depend on whether the hack was sophisticated or complex, as one example. Some hacks by real professionals could be very hard to defend. So, the other thing to look at is whether there was adequate security in place to protect the data as well.

I hate to be the bearer of bad news, but the passwords used an unsalted MD5 hashing method of password protection, which was advised by the CMU Software Engineering Institute as “unsuitable for further use” back in 2009. Hashing is a common way of storing passwords on most websites which allows a user’s personal data to be stored more securely. However, as with most things, there can always be the ‘better model’. The MD5 algorithm Last.fm used was seriously outdated, reports say. It was not mathematically strong enough to shield modern hacking methods, as shown in the hack.

Further, Last.fm opted out of the salted hashing process. Not to get too technical, but salting adds a level of protection by adding random numbers to the hash for every password. This is a practice that Last.fm should arguably have taken as they had over 49 million user’s information to look after! If they had done so it could have decreased the success of the hack. In comparison, an unsalted MD5 hashing process does not add a piece of unique data in the some way salting does.

There are strong grounds to believe that Last.fm did not take enough safety precautions and have breached fundamental principles under the Data Protection Act. One being: the failure to keep their customers’ personal data safe and secure.

Information Commissioner’s Office Guidance

It is not the first, and probably not the last time, the leaking of passwords happens. The shoe retailer, Office, was a recent victim of a hacking scandal just last year. The situation is quite similar to Last.fm’s. The passwords stored on the Office website were unencrypted which allowed the hacker to bypass the system with ease. Sally-Anne Poole, Manager at the ICO, recognised a breach in two areas of data protection that was: “the unnecessary storage of older personal data and lack of security to protect data”. The latter is important for us as arguably Last.fm had inadequate security measures in place to protect personal data.

Do not be a victim of cyber theft!

Our lawyers are experienced and dedicated in fighting for the rights of data breach victims in the U.K. If you think you have been a victim, come forward now, and let us fight together to beat the cyber criminals.

Lastly… a word of wisdom

Put aside some time to change all those passwords. Hint: break the habit of reusing passwords and do not use ‘123456’ (the most popular password used for Last.fm accounts). Do it for your peace of mind, and mine.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

SRA
Contact
www.dataleaklawyers.co.uk is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon