iMesh, a now defunct service that was once one of the biggest P2P sites in the US, reportedly suffered a data breach in 2013 which has now led to a huge database of 51 million users’ credentials going for sale on the dark web. This is the latest in a string of huge databases coming up online, after the recent breach at MySpace and LinkedIn led to tens of millions of users’ info being loaded onto the dark web.
The hacker behind this leak, Peace, has set an asking price of just half a bitcoin, which converts to roughly £245 ($350). Such a low price is surprising at first, however starts to make sense with a little closer analysis.
Javvad Malik, Security Advocate at AlienVault, told us that the low price would primarily be due to the face that“iMesh is now defunct, so the value is only in seeing if users have reused the passwords elsewhere. The other factors would boil down to market pressures. There are other big breaches out there so in order to sell, it needs to be priced competitively.”
Itsik Mantin, Director of Security Research at Imperva, added that it was likely the data had been aggregated from various sources and that with such a large trove of data, you can expect brute force attacks to become a lot easier and a lot more frequent. He added that “to prevent brute force attacks security officers should not only rely on password policies, but should also take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, being cautious about logins from unexpected countries and anonymous sources and comparing login data to popular passwords and stolen credentials.”
It seems again that the all too common malpractice of using the same password for different online services is what the hackers are gambling on to make their hacking attempts worthwhile. Lamar Bailey, Senior Director of Security R&D at Tripwire, advised users to “create strong unique passwords for each site they visit and that is harder than it sounds given the sheer number of sites people visit every day. The best way to accomplish this is to use a password generator and vault to keep track of your passwords. Many of the products have very minimal costs and they will remind you to change passwords and alert you of breaches to sites you access.”
So it’s another big breach in the news, will we ever learn? The issue is that so much data has been left online by web users, giving hackers reams of intelligence to work off should they decide to target you. Lisa Baergen, Director of NuData Security, explained to us why this matters:
“While it’s good practise to change your usernames and passwords often, victims of a breach need to understand that every single piece of identifiable information exposed is important. Credentials from various breaches are sold in packages on the dark web used, and used to build a “Fullz”, or full online identify profile. These full profiles are sold for higher value than just pieces, because the more complete the information, the more fraud can (and likely will) take place.
“For example, if I’m a hacker and gain access to geographical data on John Smith from breach one e.g. LinkedIn, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. OR more frighteningly, gain access to your work credentials, where the damage could be colossal.
“Where credit card fraud was all the rage a couple years ago, it is this kind of account takeover and new account fraud that is on the painful and dramatic rise. We saw in our own database of nearing 81 billions of behavioural events annually, a 10% month-over-month increase in new account fraud.”