View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

eHarmony and Last.fm become latest password hack victims

Dating site and music streaming service follow LinkedIn password leak

By Steve Evans

Dating site eHarmony.com and music site Last.fm have both admitted to being the victims of hacking attacks that exposed user passwords, just days after LinkedIn admitted 6.5 million passwords had been stolen.

It appears the same hacker that targeted LinkedIn also hit eHarmony. A list of around 8 million passwords appeared on a Russian internet forum earlier this week. Many were from LinkedIn but security experts discovered that many of the passwords also contained ‘eharmony’ or ‘harmony’ in them. It is worryingly common for people to use all or part of a service’s name when selecting a password.

After reports first emerged on ArsTechnica, eHarmony confirmed in a statement on its site that around 1.5 million passwords had been compromised.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," the statement said. "As a precaution, we have reset affected members passwords. Those members will receive an email with instructions on how to reset their passwords."

"Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information. We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches. We deeply regret any inconvenience this causes any of our users," the statement added.

In another incident, UK music streaming service Last.fm also confirmed it was investigating a possible password breach.

"We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately," the statement said.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Both sites warned users they would not send out any emails with links to password reset options as this is a tactic used in phishing emails. Users should instead go directly to the site and change their password that way.

These two incidents come just days after LinkedIn confirmed a hacker had leaked 6.5 million passwords. The business social network site said it had reset the password of all affected accounts.

"Yesterday we learned that approximately 6.5 million hashed LinkedIn passwords were posted on a hacker site. Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published," the company said on its blog.

"To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorised access to any member’s account as a result of this event," Vicente Silveira added.

"Since we became aware of this issue, we have been taking active steps to protect our members. Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk. We’ve invalidated those passwords and contacted those members with a message that lets them know how to reset their passwords," LinkedIn said.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU