Cyber Incident Victim: iMesh
Date:
Sep 2013
Location:
United States of America
Summary
A now-defunct file-sharing service suffered a breach compromising approximately 51 million user accounts, which were subsequently listed for sale on the dark web. The exposed data included email addresses, usernames, geographic locations, IP addresses, registration dates, and passwords stored using outdated MD5 hashing with salting. Analysis indicated the intrusion likely occurred years prior, though the company denied awareness of any security compromise. The database was obtained by multiple actors, including a known seller using the alias "Peace," who offered the dataset for one bitcoin. A significant portion of affected users were based in the United States, United Kingdom, and Europe, with account activity showing declining service adoption preceding the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2016, a database containing approximately 51 million iMesh user accounts was listed for sale on the dark web, exposing credentials from the defunct peer-to-peer file sharing service. The New York-based company, once the third-largest music and video sharing platform in the US, had unexpectedly ceased operations the previous month after operating since 2005. LeakedSource, a breach notification service, obtained and analyzed the database, determining it contained email addresses, MD5-salted hashed passwords, usernames, geographic locations, IP addresses, registration dates, account status indicators, and message inbox metadata. The records spanned from the service's launch in late 2005 through September 2013, with LeakedSource identifying that timeframe as the likely breach period based on the most recent entries. Analysis revealed significant user base decline, from peak annual registrations of 9.4 million in 2009 to 2.5 million new accounts in 2013. Approximately 13 million affected accounts originated from US users, with millions more from the UK and Europe. iMesh's Chief Operating Officer Roi Zemmer denied awareness of any security compromises in an email statement, asserting the company had employed "state of the art technology" to protect user information prior to its shutdown.
The stolen data entered broader circulation when a dark web vendor known as "Peace" acquired the database and listed it for sale at 1 bitcoin (approximately $590 in June 2016). Peace had previously marketed stolen data from Fling, LinkedIn, Badoo, and VK.com. Verification efforts faced challenges due to iMesh's discontinued operations and diminished user activity in its final years. Journalists attempted to contact recently registered users identified in the breach but received no immediate responses. The MD5 hashing algorithm used to protect passwords was noted as cryptographically weak by contemporary security standards, increasing risks of credential decryption. No attribution was established for the breach, with LeakedSource confirming only that "someone obviously hacked" the service without identifying potential perpetrators. The incident exposed sensitive information from a service that had settled copyright infringement litigation with the RIAA in 2003, subsequently rebranding as the first RIAA-approved P2P platform before its eventual closure.