51 Million iMesh Passwords Dumped Online

If you're suffering from data-breach fatigue, tough luck. LeakedSource, the shadowy website that broke the recent news of the LinkedIn and MySpace breaches, today (June 13) announced that 51 million account credentials for iMesh, a defunct file-sharing service, were being sold online.

Credit: g-stockstudio/Shutterstock

(Image credit: g-stockstudio/Shutterstock)

The good news is that the passwords were hashed and salted — mathematically scrambled, with random characters added pre-scrambling to confuse password crackers. The bad news is that the hashing algorithm was so weak that LeakedSource cracked many passwords anyway.

If you had an iMesh account and you used the same username and password elsewhere, go change the passwords on those accounts immediately.

MORE: How to Create and Remember Super-Secure Passwords

Briefly, iMesh was a peer-to-peer file-sharing client that started up in the Napster days, surived a record-industry lawsuit and went "legit" in 2004. But it quietly shut down earlier this year, without much explanation.

The company hashed its user passwords with the MD5 algorithm, for which the first weakness was found in 2005. The number of MD5 flaws has built up since then, and no company should have been using the algorithm in 2013, when the iMesh data breach seems to have happened.

"Passwords were stored in multiple MD5 rounds with salting," read a LeakedSource blog post. "'Salting' makes decrypting passwords exponentially harder when dealing with large numbers such as these, and is better than what LinkedIn and MySpace did, but MD5 itself is not nearly hard enough for modern computing. The methods iMesh used, albeit 3 years ago, were still insufficient for the times."

LeakedSource's list of the most common iMesh passwords is depressing. Close to a million accounts (or about 2 percent) used "123456", more than 300,000 used "123456789", and so on. Except for "password" at No. 5 with 86,000 users, all the top 10 iMesh passwords were similarly common numerical sequences.

If you had an iMesh account, and your password was that bad, and you used that same brain-dead password and username on other accounts, then those other accounts have probably already been hacked.

Because the iMesh accounts included email addresses, IP addresses and country locations, LeakedSource established that the data dump included 13.7 million American users, nearly 4 million Turkish users and 3.6 million British users.

Hotmail was the most common email-address domain, followed by Yahoo. Gmail was a distant third, a sign that the bulk of the iMesh users signed up before Gmail was opened up to the general public in 2007.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.