What happened
According to public breach records, the Last.fm data breach on March 22, 2012 is reported to have exposed the personal information of 37,217,682 accounts.
In March 2012, the music website Last.fm was hacked and 43 million user accounts were exposed. Whilst Last.fm knew of an incident back in 2012, the scale of the hack was not known until the data was released publicly in September 2016. The breach included 37 million unique email addresses, usernames and passwords stored as unsalted MD5 hashes.
Passwords in this breach were reportedly stored as MD5 hashes.
Last.fm suffered a data breach in March 2012; the company acknowledged a leak of "some" user passwords that June and asked users to change them, but the true scale stayed unknown until the dataset surfaced publicly in September 2016 via breach-index service LeakedSource. The exposed records covered roughly 37 million unique email addresses along with usernames, sign-up dates, website/ad activity, and passwords stored as unsalted MD5 hashes. Because MD5 without salting is weak, LeakedSource reported cracking about 96% of the passwords in roughly two hours, with "123456" the most common recovered password.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Passwords
- Usernames
- Website activity
Breach details
| Detail | Value |
|---|---|
| Breach name | Last.fm |
| Date | March 22, 2012 |
| Accounts affected | 37,217,682 |
| Domain | last.fm |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Last.fm; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Last.fm password immediately, and replace it anywhere you reused the same password — the leaked MD5 hashes were unsalted and overwhelmingly cracked, so any reused credential should be treated as known to attackers.
- Use a unique, strong password per site (a password manager helps) and enable two-factor authentication wherever it is offered to blunt credential-stuffing attacks.
- Treat the exposed email address as a phishing and spam target: be wary of unsolicited messages referencing Last.fm or music services, and never enter credentials via links in such emails.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →