The hack of the music streaming platform, Last.fm, reportedly happened in March 2012, but it has taken a few years to uncover its true extent.
Earlier this month, an investigation found that a staggering figure of 43,570,999 user accounts had fallen victim to the hacking; a huge number.
In terms of how this stacks up with other hacks, it’s certainly up there with the volumes of people affected.
LeakedSource states that, not only were passwords taken by the cyber thief, but also each individual’s account username, email address, and other data that they may have entered when registering with Last.fm may have been compromised too. According to Last.fm statistics at the time of the hack, an estimated 49 million users had a registered account. It does not take a genius to work out that is a huge percentage of users and stolen passwords.
Because Last.fm has been so reportedly lax in security procedures, they may have breached the Data Protection Act 1998. This provides rights for an individual to make sure their data is protected from misuse or abuse.
What is the Data Protection Act and how am I protected?
The Act was created with the purpose of protecting an individual’s personal data held by companies and organisations. The company is then responsible for handling personal data in the correct way.
Hacking is not always considered to be a strict liability offence. With strict liability, the victim does not have to necessarily prove carelessness or fault. The reason that Last.fm’s breach may not be a strict liability offence is because it depends on what the company has done to protect their customer’s personal data. It could depend on whether the hack was sophisticated or complex, as one example. Some hacks by real professionals could be very hard to defend. So, the other thing to look at is whether there was adequate security in place to protect the data as well.
I hate to be the bearer of bad news, but the passwords used an unsalted MD5 hashing method of password protection, which was advised by the CMU Software Engineering Institute as “unsuitable for further use” back in 2009. Hashing is a common way of storing passwords on most websites which allows a user’s personal data to be stored more securely. However, as with most things, there can always be the ‘better model’. The MD5 algorithm Last.fm used was seriously outdated, reports say. It was not mathematically strong enough to shield modern hacking methods, as shown in the hack.
Further, Last.fm opted out of the salted hashing process. Not to get too technical, but salting adds a level of protection by adding random numbers to the hash for every password. This is a practice that Last.fm should arguably have taken as they had over 49 million user’s information to look after! If they had done so it could have decreased the success of the hack. In comparison, an unsalted MD5 hashing process does not add a piece of unique data in the some way salting does.
There are strong grounds to believe that Last.fm did not take enough safety precautions and have breached fundamental principles under the Data Protection Act. One being: the failure to keep their customers’ personal data safe and secure.
Information Commissioner’s Office Guidance
It is not the first, and probably not the last time, the leaking of passwords happens. The shoe retailer, Office, was a recent victim of a hacking scandal just last year. The situation is quite similar to Last.fm’s. The passwords stored on the Office website were unencrypted which allowed the hacker to bypass the system with ease. Sally-Anne Poole, Manager at the ICO, recognised a breach in two areas of data protection that was: “the unnecessary storage of older personal data and lack of security to protect data”. The latter is important for us as arguably Last.fm had inadequate security measures in place to protect personal data.
Do not be a victim of cyber theft!
Our lawyers are experienced and dedicated in fighting for the rights of data breach victims in the U.K. If you think you have been a victim, come forward now, and let us fight together to beat the cyber criminals.
Lastly… a word of wisdom
Put aside some time to change all those passwords. Hint: break the habit of reusing passwords and do not use ‘123456’ (the most popular password used for Last.fm accounts). Do it for your peace of mind, and mine.