51 Million iMesh Accounts Available on Black Market

Fifty-one million iMesh accounts are for sale on Dark Web for $700, bringing the number of user accounts tied to recent breaches to over 700 million.

LeakedSource, an aggregator of data stolen in breaches, is advertising the availability of the account information of 51 million users of the now defunct iMesh peer-to-peer file-sharing music service. According to LeakedSource, the data is from a 2013 breach and includes email addresses, usernames, passwords, IP addresses and specific country locations for users.

Sources at iMesh could not confirm the breach to Threatpost. According to iMesh’s Facebook page, on June 9 the company shuttered its iMesh music service. The data is also currently for sale on an underground site called The Real Deal for 1 bitcoin (or $718), allegedly put there by a hacker known as Peace, who also is allegedly behind the LinkedIn password dump.

The alleged iMesh password data was stored using the cryptographic hash function MD5 (Message-Digest algorithm 5), according LeakedSource. LeakedSource told Threatpost it has cracked the salted passwords. The website claims it was “given” the iMesh database by an undisclosed third party. LeakedSource sells access to its database of breached data via its website for about $1 a day, according to the website.

Reports of the iMesh data breach is the latest in a recent string of breaches of popular online services. In the past few weeks, account breaches have been reported by LinkedIn, Tumblr, VK.com, Fling and MySpace – bringing the total number of compromised accounts to more than 700 million.

Security experts warn that while breach data in many cases may be outdated and from obsolete services, the data can be used to compromise other accounts. That’s because people often use the same username or password across multiple sites. One breach could crack open dozens of a user’s accounts across the web.

Tod Beardsley, security research manager at Rapid7, also points out that the iMesh email and user name data could also be extremely useful to spammers who can leverage IP data to more accurately geo-locate spam email.

“The one feature of the iMesh credential set that may be interesting to researchers is the inclusion of user IP addresses, along with usernames and passwords,” Beardsley wrote in an email to Threatpost. “IP addresses can be used to geolocate users, so a line of research to find out where in the world usernames and throwaway passwords are more popular might academically interesting.”

In its heyday of 2001, iMesh was a popular P2P file sharing service similar to LimeWire and KaZaa, each running afoul with the Recording Industry Association of America for contributing to copyright infringements. In 2004, under pressure of litigation from the RIAA, iMesh restructured as legal pay-for-download service.

Suggested articles