Skip to navigationSkip to content
PREDICTABLE

Millions of stolen Last.fm passwords have been decrypted. These are the top 50

Computer keyboard with letters stacked in the word 'password' is seen in this illustration picture taken in Warsaw
Reuters/Kacper Pempel
Easy to remember, easy to break.
By Joon Ian Wong
Published Last updated This article is more than 2 years old.

Remembering a strong password is difficult. That’s why people keep using passwords like “123456,” “password,” and more puzzlingly, “monkey.”

Those are some of the most popular passwords from a stash of data stolen from the music-streaming platform Last.fm in 2012. Hundreds of thousands of people used those three passwords to log in to their Last.fm accounts. The passwords were decrypted by LeakedSource, which maintains a collection of publicly available hacked data.

These are the 50 most frequently used passwords from the hacked stash of 43.6 million, according to LeakedSource:

1
123456
255,319
2
password
92,652
3
lastfm
66,857
4
123456789
63,984
5
qwerty
46,201
6
abc123
36,367
7
abcdefg
34,050
8
12345
33,785
9
1234
30,938
10
music
27,975
11
12345678
25,876
12
111111
25,313
13
abcdefg123
21,555
14
aaaaaa
19,098
15
123123
18,147
16
123
17,225
17
liverpool
17,191
18
1234567
17,168
19
16,941
20
monkey
16,787
21
football
16,177
22
1234567890
14,972
23
666666
14,164
24
password1
14,016
25
last.fm
13,741
26
xbox360
13,467
27
baseball
12,645
28
iloveyou
12,160
29
dragon
12,134
30
shadow
11,893
31
123321
11,281
32
abcd
11,141
33
foxpass
10,719
34
fuckyou
10,685
35
cheese
10,669
36
musica
10,651
37
soccer
10,288
38
654321
9,969
39
sunshine
9,925
40
arsenal
9,894
41
metallica
9,891
42
superman
9,842
43
charlie
9,839
44
daniel
9,775
45
abcdef
9,376
46
letmein
9,306
47
killer
9,174
48
abcde
9,124
49
blink182
9,099
50
michael
8,997

LeakedSource says the hack took place on March 22, 2012 and includes information like each account’s username, e-mail address, join date and other data. It verified that the data were authentic by checking with a known user whose credentials were in the stash.

Even if many some of those users are no longer active on last.fm, the common (and bad) habit of reusing passwords means hackers might use the leaked data to break into people’s accounts on other services.

Last.fm had 49 million registered users at the time of the hack, according to one estimate. The company reported 55 million registered users in 2014, although only a fraction of those are likely to be active users. Last.fm was a pioneer of music streaming, and CBS acquired it for $280 million in 2007. Its parent failed to capitalize on its head start, however, and its user growth has stagnated over the years, even as losses have mounted and staff have dwindled. Spotify was launched the October after the acquisition.

📬 Kick off each morning with coffee and the Daily Brief (BYO coffee).

By providing your email, you agree to the Quartz Privacy Policy.