Last.fm has been hit with allegations that it missed a clear opportunity to catch a password breach before it became public. Meanwhile fellow-victim LinkedIn is insisting there’s no evidence that any user accounts were breached following its own password hacking.
According to Last.fm, it received an e-mail tip-off that a list of user passwords (reported as 1.5 million users) had been made public. It says it immediately verified the list was genuine then introduced new security measures and urged users to change their passwords on Last.fm and any other sites where they used the same details.
However, a number of posts and responses on the company’s user forums, spotted by GigaOM’s Bobbie Johnson, suggest that user e-mail addresses (if not necessarily passwords) had been acquired by spammers in early May. It appears the site carried out a security audit but either found no breach or failed to discover it before the password list went public.
Johnson also reports that the hacking itself likely took place in February or March, and that the security weakness that allowed it has been in place since 2003.
Meanwhile LinkedIn suggests its own hacking incident, with an estimated 6.5 million passwords breached, has been merely a public relations nightmare rather than a security disaster. The site opted for the nuclear option of disabling all the affected passwords then writing to the affected users.
The company took a two-stage approach, prioritizing those users whose passwords had been published in unencrypted form, then tackling cases where encrypted passwords had been made public. According to LinkedIn, the tactic paid off and it has had no reports of any accounts being breached as a result of the hacking.
As both these incidents show, along with the seemingly-atrocious handling by Sony of its own hacking case last year, only a small percentage of the public understands terms such as hashing and salting and can tell whether a company is really doing enough to prevent hacking.
What really matters is the response when a hack takes place, and the two golden rules are to respond quickly and to keep users clearly informed.