This week I received a notice from https://haveibeenpwned.com/ suggesting that my user account from last.fm had been compromised. In this case, the breach was fairly significant, according to Have I Been Pwned, indicating that mail addresses, passwords, usernames, and website activity were among the compromised data.
Wow. Last.fm. I hadn’t even thought of that service in years. A quick check at Wikipedia shows they are still in business, but I had forgotten about last.fm, probably because SomaFM.com and Pandora had garnered my music listening attention.
I looked in my password vault to see what my password was. I found there was no entry for last.fm. This is especially troubling, since there is a possibility that the password I used for last.fm is used elsewhere (more on that in a minute). I still have one more password vault to check, but I don’t have physical access to that until tomorrow. Hopefully I’ll find an entry.
In any event, I’ve changed my password at last.fm. But not knowing what my prior password was is going to gnaw at me for a while.
Occurrences like this are another reason why we should all use unique, hard to guess passwords for each web site. Then, if any web site is compromised and that compromise reveals your password, then you can be confident that no other web sites are affected.