Last.fm, the music discovery and social listening service (owned by CBS Interactive from 2007), suffered a breach of its user database that occurred around 2012 but was not publicly disclosed until September 2016 when approximately 43.5 million records appeared on LeakedSource, a breach notification and data search service. The breach included email addresses, usernames, and passwords stored as unsalted MD5 hashes. The 2012 timeframe aligns with Last.fm’s June 2012 public announcement that it was ‘investigating a report that some Last.fm user passwords have been compromised’ and advising users to change passwords — but at the time the full scale (43 million accounts) was not disclosed or publicly known. The unsalted MD5 storage meant a very high proportion of passwords were crackable. Last.fm notified users in 2016 when the full dataset became known and forced password resets. The breach is part of a cluster of major 2012 credential database thefts — including LinkedIn (117M), Dropbox (68M), MySpace (360M), and eHarmony (1.5M) — that were stolen in 2012 but surfaced on criminal markets during 2016, years later. This pattern demonstrated the long ‘shelf life’ of stolen credential databases and the delayed nature of breach discovery and disclosure for many incidents from that era.