Analyzing Last.fm's password security advisory

Here is the note from the last fm password security advisory page (plain-text only): 

Here is what people who are loggin in would see: 

Last.fm Password Security Update

7th June 2012

We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.

Change your password

We strongly recommend that your new Last.fm password is different to the password you use on other services. For more advice on choosing a solid password we recommend: http://www.google.co.uk/goodtoknow/online-safety/passwords/

We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this.

The Last.fm Team

Here is what people would see if they don't log in (plain-text only): 

Last.fm Password Security Update

7th June 2012

We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.

Please log in to Last.fm and change your password on the settings page

If you can’t remember your password you can reset it without logging in

We will never email you a direct link to update your settings or ask for your password.

We strongly recommend that your new Last.fm password is different to the password you use on other services. For more advice on choosing a solid password we recommend: http://www.google.co.uk/goodtoknow/online-safety/passwords/

We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this.

The Last.fm Team

From http://www.last.fm/passwordsecurity

Let me stress on this line: 

We will never email you a direct link to update your settings or ask for your password.

I don't get it. They always send me links. Here is a copy of the first ever email I got from last fm back in 2008 (plain-text with some line breaks removed as usual): 

Hello [redacted], 

Your profile has been created. Visit it here:

http://www.last.fm/user/[redacted]

Should you lose your password, you can retrieve it here:

http://www.last.fm/settings/lostpassword/

Now, what's next?

TUNE IN

Listen to Last.fm radio by typing your favorite artist or band:

http://www.last.fm/listen

FIND YOUR FRIENDS

Use our contacts importer to see who of your friends is already using Last.fm:

http://www.last.fm/user/[redacted]/findafriend/

SCROBBLE

Get our software and every song you play on your computer becomes part of your

musical profile. http://www.last.fm/download/

SHOW OFF

Once you listen to music with Last.fm, you can take it with you. Show your

musical charts on your MySpace, LiveJournal, Facebook, or blog:

http://www.last.fm/widgets/

Happy listening,

- Team Last.fm

-------------

Pssst:

You can control your notification preferences here:

http://www.last.fm/settings/notifications