Public Service Annoucement: Last.fm Passwords Compromised
Wow, what a week!!!
Yet another firm, Last.fm, is claiming to have their passwords compromised. Per comments from last.fm it looks like the same attacker was able to use similar tactics to gain access to their environment:
The Last.fm crew says that its own passwords may have been swiped up in the same leak, and will be updating users through its Twitter handle @lastfm while the investigation is ongoing. The company has not yet confirmed that accounts have been compromised, but still encourages users to change passwords now.Source: VB/Media
It appears that there are already speared phishing attempts occuring on last.fm users so be weary of that as well:
Last.fm also promises that it will “never email you a direct link to update your settings or ask for your password.” Important to note, as a number of spoofed LinkedIn e-mails were sent to members asking them to update their accounts.
From the perspective of attackers, this is pretty big news. Their ability to infiltrate three distinct properties, and sizable properties at that, makes you wonder if a new, undisclosed, vulnerability has been found.