Dating site eHarmony.com and music site Last.fm have both admitted to being the victims of hacking attacks that exposed user passwords, just days after LinkedIn admitted 6.5 million passwords had been stolen.
It appears the same hacker that targeted LinkedIn also hit eHarmony. A list of around 8 million passwords appeared on a Russian internet forum earlier this week. Many were from LinkedIn but security experts discovered that many of the passwords also contained ‘eharmony’ or ‘harmony’ in them. It is worryingly common for people to use all or part of a service’s name when selecting a password.
After reports first emerged on ArsTechnica, eHarmony confirmed in a statement on its site that around 1.5 million passwords had been compromised.
"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," the statement said. "As a precaution, we have reset affected members passwords. Those members will receive an email with instructions on how to reset their passwords."
"Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information. We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches. We deeply regret any inconvenience this causes any of our users," the statement added.
In another incident, UK music streaming service Last.fm also confirmed it was investigating a possible password breach.
"We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately," the statement said.
Both sites warned users they would not send out any emails with links to password reset options as this is a tactic used in phishing emails. Users should instead go directly to the site and change their password that way.
These two incidents come just days after LinkedIn confirmed a hacker had leaked 6.5 million passwords. The business social network site said it had reset the password of all affected accounts.
"Yesterday we learned that approximately 6.5 million hashed LinkedIn passwords were posted on a hacker site. Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published," the company said on its blog.
"To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorised access to any member’s account as a result of this event," Vicente Silveira added.
"Since we became aware of this issue, we have been taking active steps to protect our members. Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk. We’ve invalidated those passwords and contacted those members with a message that lets them know how to reset their passwords," LinkedIn said.
