[UPDATE] Last.fm has responded in more detail and is now notifying its members of the situation. Read the story here.
[ORIGINAL STORY]
Yet another site has had its passwords compromised in the wake of the LinkedIn password leak. Last.fm has announced that it has begun investigating the leak of passwords from its website. LinkedIn was the first site to discover that more than 6.4 million of its passwords had been leaked onto a hash-cracking site this week. eHarmony has subsequently discovered that some of its member’s passwords were also included in the leaked hash. Both of those companies have responded by locking down compromised user accounts and emailing their members with instructions on how to reset the password for their account.
The announcement that LinkedIn was a part of the password leak came through a message on its website that explains the situation. From the announcement:
We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.
Oddly, Last.fm is not taking the same precaution as LinkedIn and eHarmony of disabling user accounts associated with known cracked passwords. Instead, the site is asking all of their members to log in and change their password. It is unknown whether the company has sent a mass email to its members detailing the situation, or whether they are relying on their website message.
The rest of the Last.fm message was part of what is becoming a standard template for these types of announcements. The company emphasized that it would never send an email to members with a link for a password update, suggested some simple password security tips for individual users, and apologized for any inconvenience the ordeal may cause its members. Last.fm also emphasized that it takes user privacy “very seriously.”