X

How long ago did the Last.fm security breach happen?

According to a new report, the passwords might have been compromised several months ago, but the issue remained undetected.

Don Reisinger
CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
See full bio
Don Reisinger
2 min read

Last.fm's security breach that left user passwords open on a Russian hacker site last week might have shown its ugly face months ago, according to a new report.

Back in May, several Last.fm users took to the company's forums, saying that they had been receiving massive amounts of spam on e-mail addresses they created solely for Last.fm. Soon after, Last.fm customer support manager Matt Knapman said that his company was "investigating this matter urgently, running a security audit, and looking at alternative ways the spamming of Last.fm users might have occurred."

According to GigaOm, reporting today on that event, the audit apparently yielded no evidence of a major security breach.

Still, that users complained of spamming back in May is by no means a smoking gun. Exactly when the passwords were stolen, and the method by which they had been taken, have not been revealed. And to draw a correlation between that event, its corresponding audit, and the breach might not be so simple.

However, GigaOm's Bobbie Johnson also said today, citing a source, that the security breach that left Last.fm passwords open occurred in February or March. That followed a claim made by a Reddit poster, named "mingaminga," who said over the weekend that the password list "has been out there for a long time," adding that there were discussions about it at Defcon last year. So, Johnson argues, if a security audit was, in fact, conducted, it failed to discover a breach that had already occurred.

Last.fm's Matthew Hawn on Friday updated his company's blog with a new post, saying that it had been notified of the password leak early last week, adding that it had "implemented a number of key security changes around user data and we chose to be cautious and alert Last.fm users."

Last.fm last week announced that some of its user passwords had been stolen as part of a huge list of 6.5 million passwords dumped onto a Russian hacker site. LinkedIn and eHarmony last week came out with similar warnings, telling their users to change passwords immediately.

CNET has contacted Last.fm for comment on the report. We will update this story when we have more information.

Last.fm is owned by CNET parent company, CBS.