Security firm KoreLogic says the leak is over a year old and involves 17.3 million passwords.
Music streaming site Last.fm recently announced that it's investigating the leak of some user passwords, and advises all users to change their passwords immediately.
"Although the website is not confirming that there has been a security breach yet, it isn't being shy about informing users that there could be a problem," writes Sophos' Graham Cluley.
"Last.fm users can switch their passwords by logging in and accessing the 'Settings' page, or by reporting their password as lost," writes Ars Technica's Nathan Mattise. "In the site's announcement, Last.fm re-emphasized these are the only means for password changes: 'We will never e-mail you a direct link to update your settings or ask for your password.'"
"Last.fm did not disclose how many accounts are at risk, or any details pertaining to its security," notes ZDNet's Zack Whittaker. "This follows in the footsteps of ‘professional’ social network LinkedIn and dating website eHarmony which both suffered security breaches earlier this week."
"Security firm KoreLogic has tweeted some details about the Last.fm leak," writes Lifehacker's Melanie Pinola. "Apparently the leak happened at least a year ago ... 2010/2011, KoreLogic says, so this incident most likely isn't related to the LinkedIn or eHarmony breach -- but that does make you wonder why it took so long to report the leak. Also, apparently 17.3 million passwords are involved, with 16.4 million (95 percent ) of them cracked from their raw-md5 encryption."