Millions of Stolen Last.fm Passwords Have Been Decrypted. These Are the Top 50
Nicescene/Shutterstock.com
Remembering a strong password is difficult
Remembering a strong password is difficult. That’s why people keep using passwords like “123456,” “password,” and more puzzlingly, “monkey.”
Those are some of the most popular passwords from a stash of data stolen from the music-streaming platform Last.fm in 2012. Hundreds of thousands of people used those three passwords to log in to their Last.fm accounts. The passwords were decrypted by LeakedSource, which maintains a collection of publicly available hacked data.
These are the 50 most frequently used passwords from the hacked stash of 43.6 million, according to LeakedSource:
| Rank | Password | Frequency |
|---|---|---|
| 1 | 123456 | 255,319 |
| 2 | password | 92,652 |
| 3 | lastfm | 66,857 |
| 4 | 123456789 | 63,984 |
| 5 | qwerty | 46,201 |
| 6 | abc123 | 36,367 |
| 7 | abcdefg | 34,050 |
| 8 | 12345 | 33,785 |
| 9 | 1234 | 30,938 |
| 10 | music | 27,975 |
| 11 | 12345678 | 25,876 |
| 12 | 111111 | 25,313 |
| 13 | abcdefg123 | 21,555 |
| 14 | aaaaaa | 19,098 |
| 15 | 123123 | 18,147 |
| 16 | 123 | 17,225 |
| 17 | liverpool | 17,191 |
| 18 | 1234567 | 17,168 |
| 19 | 0 | 16,941 |
| 20 | monkey | 16,787 |
| 21 | football | 16,177 |
| 22 | 1234567890 | 14,972 |
| 23 | 666666 | 14,164 |
| 24 | password1 | 14,016 |
| 25 | last.fm | 13,741 |
| 26 | xbox360 | 13,467 |
| 27 | baseball | 12,645 |
| 28 | iloveyou | 12,160 |
| 29 | dragon | 12,134 |
| 30 | shadow | 11,893 |
| 31 | 123321 | 11,281 |
| 32 | abcd | 11,141 |
| 33 | foxpass | 10,719 |
| 34 | fuckyou | 10,685 |
| 35 | cheese | 10,669 |
| 36 | musica | 10,651 |
| 37 | soccer | 10,288 |
| 38 | 654321 | 9,969 |
| 39 | sunshine | 9,925 |
| 40 | arsenal | 9,894 |
| 41 | metallica | 9,891 |
| 42 | superman | 9,842 |
| 43 | charlie | 9,839 |
| 44 | daniel | 9,775 |
| 45 | abcdef | 9,376 |
| 46 | letmein | 9,306 |
| 47 | killer | 9,174 |
| 48 | abcde | 9,124 |
| 49 | blink182 | 9,099 |
| 50 | michael | 8,997 |
LeakedSource says the hack took place March 22, 2012, and includes information like each account’s username, email address, join date and other data. It verified the data were authentic by checking with a known user whose credentials were in the stash.
Even if many some of those users are no longer active on last.fm, the common (and bad) habit of reusing passwords means hackers might use the leaked data to break into people’s accounts on other services.
Last.fm had 49 million registered users at the time of the hack, according to one estimate. The company reported 55 million registered users in 2014, although only a fraction of those are likely to be active users.
Last.fm was a pioneer of music streaming, and CBS acquired it for $280 million in 2007. Its parent failed to capitalize on its head start, however, and its user growth has stagnated over the years, even as losses have mounted and staff have dwindled. Spotify was launched the October after the acquisition.