Following the so-called 'mega-breaches' at LinkedIn and Myspace, a hacker is selling a massive cache of 51 million user credentials purporting to be from the now-defunct iMesh – once the third-largest peer-to-peer filesharing website in the US.
Listed on a dark web-based marketplace called The Real Deal, the hacker, under the pseudonym Peace, is attempting to shift the dataset containing 51,310,759 records for 0.5 bitcoin, which is the equivalent of £245 ($350) at the time of writing.
The information was first obtained by a breach notification website called LeakedSource, which allows users to check if their personal details are included in the trove of leaked data.
Based on analysis of the database, the records were initially hacked in September 2013 and the leak contains a slew of email addresses, usernames, IP addresses, country locations and dates when users signed up to the music and video-sharing service.
LeakedSource states that passwords were hashed and 'salted' with an MD5 algorithm, which is easy to crack by modern computing standards, meaning anyone that purchases the data could access the records with little trouble.
In a blog post, a LeakedSource researcher said: "Salting makes decrypting passwords exponentially harder when dealing with large numbers such as these, and is better than what LinkedIn and MySpace did but MD5 itself is not nearly hard enough for modern computing. The methods iMesh used, albeit three years ago, were still insufficient for the times."
LeakedSource, which also obtained credentials stolen from Myspace, Twitter, Linkedin and Russia-based social media platform VK, revealed that more than 13 million of the accounts are from US customers. This is followed by Turkey (3,984,906) and the UK (3,646,707). Furthermore, like the other recent breaches, passwords used were shockingly weak. These included '123456' (993,176), 'Password' (76,989) and '1234' (233,088).
In an email sent to technology website ZDNet, iMesh's former chief operating officer Roi Zemmer said he was "not aware of any hacks" and claimed that the firm used "state of the art" technology to protect users from cybercriminals. However, when presented with a sample of the leaked data, Zemmer reportedly did not deny the credentials were legitimate.
The elusive hacker, known as Peace, who is believed to be Russian, has become notorious in hacking circles for a consistent release of data dumps over the past few months. On the Real Deal marketplace, he or she is self-described as a "shady dark-web data dealer" and currently has a feedback rating of 100%.
As previously reported, Peace is competing for the attention of buyers with another hacker called Tessa88, also believed to be Russian, who has claimed that many more large-scale data dumps are on the horizon, including from Facebook-owned photograph platform Instagram.