Music service Last.fm believes user passwords may have been compromised along with yesterday’s LinkedIn leak. The company is encouraging everyone to change their passwords immediately.
“We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online,” said Last.fm in a blog post this morning.
On Wednesday a huge number of passwords, 6.5 million, turned up on a Russian forum. The passwords were believed to be from LinkedIn accounts, but were hashed and needed to be unencrypted by security researchers. Soon after the researchers were called in, LinkedIn released a blog post confirming that a number of these passwords belonged to accounts on the business social network.
The Last.fm crew says that its own passwords may have been swiped up in the same leak, and will be updating users through its Twitter handle @lastfm while the investigation is ongoing. The company has not yet confirmed that accounts have been compromised, but still encourages users to change passwords now.
Last.fm also promises that it will “never email you a direct link to update your settings or ask for your password.” Important to note, as a number of spoofed LinkedIn e-mails were sent to members asking them to update their accounts. These e-mails look like they come from LinkedIn, but are actually phishing for personal or financial information. ESET security research Cameron Camp confirmed that some of the links in these e-mails actually directed users to websites selling Viagra.
If you have not yet changed your LinkedIn or Last.fm passwords, now is a good time to do it. Often people use the same password for many different online services because it’s easier to remember. But if your LinkedIn password is the same as your Bank of America password, you can see how that would be an issue.