Hacker Puts 51 Million iMesh Accounts For Sale On Dark Web (zdnet.com) 21
An anonymous reader shares a ZDNet report: User accounts for iMesh, a now-defunct file sharing service, are for sale on the dark web. The New York-based music and video sharing company was a peer-to-peer service, which rose to fame in the file sharing era of the early-2000s, riding the waves of the aftermath of the "dotcom" boom. LeakedSource, a breach notification site that allows users to see if their details have been leaked, has obtained the database. The group's analysis of the database shows it contains a little over 51 million accounts. The database, of which a portion was shared with ZDNet for verification, contains user information that dates back to late-2005 when the site launched, including email addresses, passwords (which were hashed and salted with MD5, an algorithm that nowadays is easy to crack), usernames, a user's location and IP address, registration date, and other information -- such as if the account is disabled, or if the account has inbox messages.
Re:Well (Score:4, Insightful)
Could we close down the surveillance-infested other one instead?
Re: (Score:2)
Can't. Anything FB-related is banned from my network.
Re: (Score:2)
Sure ! Just sign my petition on Facebook !
Can't. Anything FB-related is banned from my network.
Whoosh? I loved your original comment, but I kinda think AC had tongue firmly in cheek - my first response was laughter.
Re: (Score:2)
I assumed as much, but ... well, what other reply should I give it?
Re: (Score:2)
Re: (Score:2)
I wonder if the hack involved finding a fifteen-year-old server for sale on eBay.
Re: (Score:3)
All this "MD5/SHA-1 is easy to crack" talk essentially boils down to "MD5 is a fast hash algorithm".
People regard hash algorithms which are slower as more secure, as they take longer to crack. The fact is though that the longer a hash algorithm takes to crack, the more load it puts on the server. So if your server has to churn for three seconds running ten million iterations of bcrypt in order to have a "strong" cipher, it "only" gives a linear increase in difficulcy for the attacker.
And while the attacker
Re: (Score:3)
There are known weaknesses in MD5 that make it possible to find collisions in faster than brute force time.
Re: (Score:3)
And as GP said, collision attacks are meaningless for leaked password databases.
What you actually need is preimage attacks, and MD5 still is strong on that front.
Re: (Score:2, Insightful)
An "attack" means "faster than brute force".
For MD5, a video card from 2012 [codinghorror.com] can brute force every possible 7 character password in a bit over an hour and every possible 8 character password in a bit over a year. If you limit it to likely passwords (letters and numbers) you can do 8 characters in 4 hours.
So yeah, any "truly strong" passwords are safe, for values of "truly strong" that were probably not well thought-out in 2005.
Re: (Score:2)
a video card from 2012 can brute force every possible 7 character password in a bit over an hour and every possible 8 character password in a bit over a year.
That doesn't make sense. An 8 byte PW would take 256 times as long as a 7 byte PW, and really only ~128 times as long. So if a 7 byte PW takes an hour, then 8 bytes would take 5 days, not a year.
Re: (Score:2)
If the numbers are accurate, it could have something to do with the space being searched. I don't understand either.