- Total Records43,570,999
- Unique Emails37,456,596
- Unique Email Providers1,232,035
- Unique Usernames43,592,244
Last.fm 2012 Data Breach: 43 Million User Accounts Exposed
In March 2012, Last.fm—a popular music streaming and recommendation service—experienced a data breach that exposed information tied to more than 43 million user accounts. The incident compromised usernames, email addresses, and account passwords. Notably, passwords were stored using unsalted MD5 hashes, which left many users’ credentials potentially vulnerable. While Last.fm acknowledged a security issue in 2012 and urged users to change their passwords, it wasn’t until September 2016 that the true scale of the breach came to light. At that point, the stolen data surfaced online, confirming that tens of millions of accounts had been affected.
What Happened in the Last.fm Breach?
The breach began around March 2012, when threat actors managed to extract large portions of Last.fm’s user database. The attackers obtained essential account details like usernames and email addresses, along with the corresponding account passwords encrypted with unsalted MD5 hashing. Last.fm made public statements in 2012 about suspicious activity and advised users to reset their passwords. However, until the breached data was posted online in 2016, the full scope was not widely understood.
Scope and Impact
The Last.fm breach impacted approximately 43,571,000 user accounts worldwide. Individuals who signed up to stream or track music through Last.fm had their usernames, email addresses, and encrypted passwords compromised. As MD5 hashing without additional security measures is widely regarded as insufficient, it’s likely that many passwords could be broken. This elevated risk for users who reused their Last.fm passwords on other services.
What Data Was Exposed?
The breach included three main types of data for each affected account:
- Username
- Email address
- Password (stored as an unsalted MD5 hash)
No payment details or personal identity numbers were mentioned as part of this breach, but the compromised details could be valuable for phishing, spam, or credential-stuffing attacks elsewhere.
Timeline of the Last.fm Breach
- March 2012: Attackers gain unauthorized access to Last.fm’s user database and exfiltrate account data.
- June 2012: Last.fm releases an advisory about suspicious activity and recommends password changes.
- September 2016: The full dataset from the breach becomes publicly available online, revealing the actual scale of the incident—over 43 million users affected.
It’s only after the data resurfaced in 2016 that the enormity of the breach was confirmed to the public.
Frequently Asked Questions
How many users were impacted by the Last.fm breach?
The Last.fm breach affected approximately 43,571,000 user accounts, making it one of the largest incidents involving a music streaming service to date.
What information was leaked in the Last.fm data breach?
Information exposed included usernames, email addresses, and user account passwords. The passwords were stored as unsalted MD5 hashes, which increases the risk of those credentials being deciphered by malicious actors.
When did the Last.fm breach happen?
The unauthorized access occurred in March 2012, though Last.fm publicly addressed password reset recommendations in June 2012. The breach’s full extent wasn't made public until September 2016.
How did Last.fm store user passwords?
Last.fm stored account passwords as unsalted MD5 hashes. This form of password protection is widely considered inadequate by modern security standards and can be vulnerable to cracking techniques.
How can I check if I'm in the Last.fm breach?
You can check if your information was part of the Last.fm breach by utilizing the DeHashed search engine.