I received an email from HaveIBeenPowned this morning – the incredibly useful service that lets you know if your username and password was released in a data breach. This time around it was last.fm – a streaming radio station that was pretty popular a long, long time ago. I went to log into the system and checked my gmail account for email from last.fm to see if I had my membership confirmation email – nothing. I had 1 email from last.fm back in 2008 when I had received a friend request (I am so popular!) – that was actually a spam request.
Obviously I had not used the service for a very, very long time. The data breach occurred in 2012, was known about in 2012 and yet they had done nothing about it then. They had also not done anything about it recently after the data breach was leaked as I had not received an email lfrom them etting me know my account had been breached.
To add insult to injury, the old password was still active and I was able to log in with it. I can understand a small pokey geocaching website not understanding security correctly and leaving passwords the same after a data breach with only a small notification on the website, but even they reacted after I sent them an email to say they need to do something better and at least inform their visitors and ideally change their password. Last.fm really have no excuse as they are big enough that they should know better and all of the accounts should have had their passwords changed once the breach was public or better yet, when they knew about the breach.
Instead, the list of usernames and passwords are still out there for people to search and log in with.
I guess the argument for not changing the account password is to let the subscriber log in with their original password that they know about. If the email address was now invalid and the password was changed by last.fm then the user would not be able to get into their account anymore….on the other hand if last.fm does not change the password, anyone could log into the account,reset the password, have access to all the data (including the persons email address) and the account holder would not be able to gain access. The hacker will not be able to change the email address though as they have put protection in place to prevent the email address being changed without a verification email link being clicked on so I guess that is something…..
This is also yet another reminder to use a password manager to “remember” all of your passwords for each site – don’t use the same one at each location. I highly recommend LastPass (unless you are a user with multiple accounts at Office365). At $12 a year for syncing between all of your devices it is well worth the cost and if you sign up with the link above we both get an extra month for free. I used to use the free KeePass software which is standalone and doesn’t hook into your browser like LastPass but it can also sync between devices (with a bit of finagling.
What do you think – should last.fm have changed users passwords when the data breach went public? Have you signed up for HaveIGotPowned? If not – what are you waiting for – it’s free and a great first response tool to keep your accounts more secure.
We had an interesting ticket come in today where an antispam system had let through a file compressed with the arj format. This immediately brought back memories of compressing files back at university – in the very early 90’s and a format that used to be very popular but nowadays most people, including the rest of our techs had never even heard of.
I am guessing the spammers were hoping that their recipients have winzip, winrar or 7zip installed so they will be able to open the infected file and that as the file format is so old, av scanners will not check them.
Anyone else out there remember Arj files and anyone (dare to admit that they) still use it?
I received my new Key Smart extended quite a while back and forgot I hadn’t reviewed it online.
Here is the before mess of all my jumbled keys:-
and then my after neat and tidy stack of keys and loyalty cards.
I did remove about 3 loyalty cards and trimmed the rest of them so they fit nicely in the device and also removed a couple of keychains, but the end result is a lot tidier and much easier on my pocket. I also splurged and got the USB key fob (the larger silver device at the bottom right of the third picture so I always have some data storage handy. This new version of the keysmart seems to be sturdy with the expansion pins holding up well (too well – I had to use two pliers to pull two apart when I made it too big). At first I was concerned about how easy it would be to get the required key out, but they rotate very easily (possibly a little too easily) and as long as your keys have distinguishing features you can tell them apart easily. If they don’t – get some permanent markers or nail polish. I kept my work keys on one end at the top and my house keys on the other end at the top so they are the easiest to get to and I know where they are.
Starting at $21 for the extended version I have here you can also get 15% off at getKeysmart.com (affiliate link). Note that I did buy my own KeySmart and also purchased one for Brandi too.
I used to use Keyring on the android for all my loyalty cards but had issues with the lasers being unable to scan the cards on the phone. Nowadays most places also just ask you for your phone number or alternate id, so it is rare that I even use a loyalty card – I think the last time was at the Gas station to get my 3c off at Shell as like most gas stations, it does not have NFC for card payment and no barcode scanner (although the shell one doesn’t even have a barcode anyway.