Millions of Last.fm users may have been affected by a password security breach, according to computer security experts.
Last.fm confirmed it was investigating a breach on Thursday, and warned all of its users to change their passwords in a security advisory.
"We are currently investigating the leak of some Last.fm user passwords," said the company. "This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we're asking all our users to change their passwords immediately."
Up to 17.3 million unique MD5 hashes — which can be cracked to indicate unique passwords — appeared on a hacking forum in 2011 and could be used to reveal Last.fm users' passwords, according to security company KoreLogic.
"The list has been 'out there' for a long time," one of the KoreLogic team said in a Reddit comment on Thursday. "I talked about it privately at 2011 DEFCON. It was originally posted by 'bad guys' on password cracking websites last year. I grabbed it, but it was promptly deleted."
Common Last.fm passwords included 'lastfm', 'last' and 'love', said KoreLogic, which will host the 'Crack Me If You Can' competition at the DefCon 2012 security conference.
Computer security publication Heise Security put a more conservative number of around 2.5 million unsalted MD5 hashes as being compromised. Heise said it had a list of 'unsalted hashes that are trivial to crack', and that at least one million hashes had been cracked, and passwords posted on the internet.
Last.fm, a sister company to ZDNet UK, joins social networking site LinkedIn and dating site eHarmony in disclosing that user passwords had been compromised this week.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.