Breach, Compliance Management, Data Security, Incident Response, Network Security, Privacy, TDR

For sale: 51M iMesh user accounts

A database of user accounts of the once popular video and music-sharing site iMesh has been made available on the dark web, according to ZDNet.

The peer-to-peer file-sharing service, at its peak the third-largest in the U.S., is no longer in business, but its collection of customer data lives on and is now exposed to bidders. The database, which dates back to 2005, includes email addresses, passwords, user names, locations, IP address and registration date.

The data was believed to have been breached in September 2013, although the New York-based company's chief operating officer Roi Zemmer claimed to be protecting user data with the latest technology.

A hacker known as "Peace" put the database for sale on the dark web for one bitcoin, worth around $600.

"The iMesh breach from 2013 contains the usual bad passwords made familiar from many similar breaches over the years, such as "123456," "password," and "qwerty," Tod Beardsley, security research manager at Rapid7, said in an email to SCMagazine.com. "These common passwords imply that many of the user accounts associated with the service were throwaway accounts, where the users did not consider their accounts to be all that valuable."

The one feature of the iMesh credential set that may be interesting to researchers is the inclusion of user IP addresses, along with usernames and passwords, Beardsley said. "IP addresses can be used to geolocate users, so a line of research to find out where in the world usernames and throwaway passwords are more popular might be academically interesting."

He believes that spammers are the most likely consumers of this data, since email addresses linked to IP addresses can give spammers a more accurate, geolocated dimension to their mailing lists. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.