Hacker Puts 51 Million iMesh Accounts For Sale On Dark Web (zdnet.com) 21
An anonymous reader shares a ZDNet report: User accounts for iMesh, a now-defunct file sharing service, are for sale on the dark web. The New York-based music and video sharing company was a peer-to-peer service, which rose to fame in the file sharing era of the early-2000s, riding the waves of the aftermath of the "dotcom" boom. LeakedSource, a breach notification site that allows users to see if their details have been leaked, has obtained the database. The group's analysis of the database shows it contains a little over 51 million accounts. The database, of which a portion was shared with ZDNet for verification, contains user information that dates back to late-2005 when the site launched, including email addresses, passwords (which were hashed and salted with MD5, an algorithm that nowadays is easy to crack), usernames, a user's location and IP address, registration date, and other information -- such as if the account is disabled, or if the account has inbox messages.
Well (Score:0)
Close down this dark web.
Re:Well (Score:4, Insightful)
Could we close down the surveillance-infested other one instead?
Re:Well (Score:0)
Sure ! Just sign my petition on Facebook ! https://www.facebook.com/Close... [facebook.com]
Re:Well (Score:2)
Can't. Anything FB-related is banned from my network.
Re:Well (Score:2)
Sure ! Just sign my petition on Facebook !
Can't. Anything FB-related is banned from my network.
Whoosh? I loved your original comment, but I kinda think AC had tongue firmly in cheek - my first response was laughter.
Re:Well (Score:2)
I assumed as much, but ... well, what other reply should I give it?
slashdot editors HATE GAY PEOPLE (Score:-1)
That's why they've suppressed the story on the recent horrible radical islamic terrorist attack for so long. Only thanks to the pressure of countless AC volunteers the editors gave in and finally covered this terrorist attack. And as they did, they even didn't mention the term!
EditorDavid and whipslash should resign because of this disgrace!!
Re:slashdot editors HATE GAY PEOPLE (Score:0)
That's because they want CLINTON to win. Trump will be a president of the people, they can't let him win.
Re:slashdot editors HATE GAY PEOPLE (Score:0)
Though yet again, we have 2 shitty options. One is diarrhea spewing everywhere, one is solid shit.
Re:slashdot editors HATE GAY PEOPLE (Score:0)
Stale passwords (Score:0)
From 10yrs ago for a website no longer in service? They might get 100$ for that.
Re:Stale passwords (Score:2)
Re:Stale passwords (Score:2)
I wonder if the hack involved finding a fifteen-year-old server for sale on eBay.
Horse hockey! (Score:-1)
passwords (which were hashed and salted with MD5, an algorithm that nowadays is easy to crack)
According to the Wikipedia article on Preimage attack [wikipedia.org]:
All currently known practical or almost-practical attacks on MD5 and SHA-1 are collision attacks.
This leak isn't going to expose any truly strong passwords.
Re:Horse hockey! (Score:3)
All this "MD5/SHA-1 is easy to crack" talk essentially boils down to "MD5 is a fast hash algorithm".
People regard hash algorithms which are slower as more secure, as they take longer to crack. The fact is though that the longer a hash algorithm takes to crack, the more load it puts on the server. So if your server has to churn for three seconds running ten million iterations of bcrypt in order to have a "strong" cipher, it "only" gives a linear increase in difficulcy for the attacker.
And while the attacker only has to find a password once, the server has to process log-ins all day long, day after day.
A really better solution to this is to 1. hash+salt the passwords (e.g. with sha-1 or maybe sha-256 if you really want) and 2. encrypt them via a HSM (e.g. with AES). Then you send the HSM your sha-256 value and the encrypted hash from the database, and the HSM tells you whether they match or not.
This way you will prevent hackers from doing any off-line brute-force attacks *at all*, unless they somehow get hold of the secret key inside the HSM. But this is much much harder than accessing the database.
Well any way, in the real best case, everybody just used yubikeys as first and only factor...
Re:Horse hockey! (Score:3)
There are known weaknesses in MD5 that make it possible to find collisions in faster than brute force time.
Re:Horse hockey! (Score:3)
And as GP said, collision attacks are meaningless for leaked password databases.
What you actually need is preimage attacks, and MD5 still is strong on that front.
Re:Horse hockey! (Score:2, Insightful)
An "attack" means "faster than brute force".
For MD5, a video card from 2012 [codinghorror.com] can brute force every possible 7 character password in a bit over an hour and every possible 8 character password in a bit over a year. If you limit it to likely passwords (letters and numbers) you can do 8 characters in 4 hours.
So yeah, any "truly strong" passwords are safe, for values of "truly strong" that were probably not well thought-out in 2005.
Re:Horse hockey! (Score:2)
a video card from 2012 can brute force every possible 7 character password in a bit over an hour and every possible 8 character password in a bit over a year.
That doesn't make sense. An 8 byte PW would take 256 times as long as a 7 byte PW, and really only ~128 times as long. So if a 7 byte PW takes an hour, then 8 bytes would take 5 days, not a year.
Re:Horse hockey! (Score:2)
If the numbers are accurate, it could have something to do with the space being searched. I don't understand either.
You said "hacker" (Score:0)
Now we have to lock you up, too.