Did every single cybersecurity professional on the Internet go on vacation this week? We’re starting to wonder, because not 36 hours after breaches at LinkedIn and eHarmony comes word of another at Last.fm. Can’t we trust anyone to keep our information secure? Apparently not.
Earlier today, Last.fm alerted users that the company was “investigating the leak of some Last.fm user passwords.” From the phrasing, we can’t tell whether it’s connected to the LinkedIn and eHarmony hacks, or just a really unfortunate coincidence: “This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.” Well, at least they preempted.
The LinkedIn and eHarmony breachers were connected–same hacker–so the obvious question is whether Last.fm is the third victim of a cybercriminal having a really great week. But this isn’t entirely out of the blue, as it sounds like Last.fm has been having some issues with user information lately. This post from Knapster01 (a customer support manager for the company) indicates that as far back as May 16, someone unsavory had gotten ahold of users’ email addresses, as Last.fm was investigating a flood of sketchy spam from gambling sites. He wrote:
We’ve had reports from the community that a few of you are seeing spam from gambling sites. We want to make one thing very clear: We never give or sell your address to third parties without your explicit consent for a specific purpose.
We are investigating this matter urgently, running a security audit and looking at alternative ways the spamming of Last.fm users might have occurred.
We take this abuse of our community very seriously and we appreciate your understanding and support as we work out what’s going on and put things right again.
But as of Tuesday, users were still kicking up a fuss about the spam.
We’ve reached out to Last.fm regarding the leak and will update if we hear anything.