Last.fm sounds like the canonical example of a site that where it makes absolutely no difference if your password gets exposed.
Worst case, some malicious individual on the internet will learn that I still like the Beastie Boys, even though it's not 1994 anymore. And possibly they'll listen to music in my name.
This is why one has a throwaway password. For throwaway accounts at throwaway sites like this. Getting your throwaway password thrown away should by definition not be something you worry about.
It matters because there was a failure and it could be in a technology or service you also use.
It matters because many users re-use credentials.
Scenario: You send a confidential email to a colleague, colleague has her lastfm compromised. Attacker scripts up logins against all common sites - including her Gmail account where you sent your confidential email. Script not only logs in and changes password, it also forwards to her friends and family all the emails containing some target phrases - including your confidential one.
anyone care to bet everyone with a linkedin account who works at a tech company just got targetted attacks? Hi, my name is Joe Hacker, and I work at <domain name>! Since you got my linkedin account, why not try that password at admin.<domain name>?
Anyone who uses the same password for their linkedin and company account earned their punishment for intentionally violating their company's information security.
Protip: Whenever you are evaluating a system and there is an unacceptable failure mode and your answer is "let it fail, then blame the user", go back and find a different answer.
I have over 150k songs scrobbled to Last.FM and have been a member since 2005. I actually can think of very few other services that I would care as much as if my Last.FM was compromised/deleted.
Same. 127k songs since '05, and I still cruise through the site regularly and look at what i was listening to on this day in 20xx.
I briefly paid for the site's radio functionality before it was crippled. It feels to me like they've died a similar death to Flickr (acquired, core team left, innovation stopped). Such a shame.
Agreed. Last.FM is such a trove of data. It is fascinating to see what I was listening to and when, and especially looking at macro events and seeing how that influenced the worlds listening habits.
It took Last.FM until 2012 to implement the ability to find your friends from Facebook. Seriously. It really is such a shame; they're a service that needs to be spun out.
Their event listings used to be my go-to place to find out about concerts. The problem is they have a bug they've never fixed (after at least 2 years) where you can't see events happening on the current night. I think it's related to timezone, and the fact they are based in the UK.
Now I've got songkick, which kicks ass at keeping me informed about shows. But the whole reason songkick is so effective for me is that I imported my listening history from last.fm when I first signed up.
29k since September 2004, and I listen to an album almost every day.
You're scrobbling songs during your whole work day, right? I disable it at work, since I don't pay much attention and end up with lots of plays I don't care much about.
I am listening to music all the time. I have it hooked up with all of the mobile services I've used (Spotify, Rdio), SoundCloud, and online radio services that support it in addition to regular old iTunes and Winamp on my computers. I'd say I listen to the equivalent of 3-4 albums per day. There's a lot of random one-offs that get tossed in there, but there have also been months where I either turned off the service out of embarrassment over something I wanted to listen to and forgot to turn back on, or just plain didn't download it or sign into it through another service. I figure that the fluff evens those times out.
Not only will they be able to listen to music that I like, they might be able to download MySQL as though they were me or comment on Engadget articles as me.
None of which are particularly concerning. Because those are throwaway accounts for me.
Make sure you've got a process in place to at least semi-regularly audit your list of "throwaway accounts".
A long time ago, I signed up to PerkMonks for some unimportant reason. Since it was unimportant then (and still is now) I used my then-standard "throwaway login". Sometime later, and before it became "a thing", I signed up for this new "microblgging service" using my "throwaway login" - it was called Twitter - nobody much had heard of it back then. Fastforward 3 years or so… Twitter had become, while not _important_, at least a place where I consider my personal reputation is important. Shortly after the PerkMonks user database got exposed (with it's cleartext passwords! facepalm!), I got an early morning text message from a friend "Acai berry spam from your Twitter account! Ha ha!" (Thanks Colin… For both the heads-up and the deserved ridicule)
If you're using the same "throwaway" credentials in a bunch of places you consider "unimportant" - make sure you upgrade those to properly secure credentials when the importance of those places changes.
Or better still, get 1Password/KeyPass/LastPass/WhatEver and stop doing that…
Even if you don't use the same username, if they have your email, those are fungible with usernames on many sites. (And of course game over if you use the same or similar password for Last.fm and email.)
But how many people have throwaway passwords on sites like these? It might not mean much to the tech-savvy community, but I'm sure a lot of people use the same password for a lot of services.
They might not be able to do much with your account on Last.fm, but they have your email, for which you may or may not use the same password.
Worst case, some malicious individual on the internet will learn that I still like the Beastie Boys, even though it's not 1994 anymore. And possibly they'll listen to music in my name.
This is why one has a throwaway password. For throwaway accounts at throwaway sites like this. Getting your throwaway password thrown away should by definition not be something you worry about.