On underground criminal marketplaces the email addresses and plaintext passwords of over 26 million LiveJournal blogging accounts are being traded, despite LiveJournal’s owners refusing to acknowledge that any security breach has occurred.
The first rumours of a major security incident involving LiveJournal passwords first began bubbling up in October 2018, when data breach expert Troy Hunt tweeted that he had received multiple reports of a compromise after users complained they had received sextortion emails quoting passwords they said they only used on the platform.
At the same time Dreamwidth, a blogging platform forked from LiveJournal’s code, warned that it had also received reports of spam extortion emails demanding a Bitcoin ransom.
Dreamwidth said then that it did not believe that its own site was the source of the data breach which fuelled the emails, and declined to name the site in question “because they haven’t made a public announcement confirming the breach.”
Yesterday, however, Dreamwidth publicly named LiveJournal as the likely source of the hacked data. Worryingly, according to Dreamwidth, LiveJournal does not seem inclined to tell its users of the breach.
“We’ve contacted LiveJournal about our findings several times, and they’ve told us each time that they don’t believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.”
Dreamwidth says that it has in the past been the victim of credential-stuffing attacks, seemingly powered by the usernames and passwords stolen from LiveJournal.
Troy Hunt’s HaveIBeenPwned service has a copy of the breached data, and earlier today an alert was sent out to the owners of 26,372,781 LiveJournal accounts that those passwords should be considered compromised.
Clearly, it would be advisable for affected users to not only change their LiveJournal password, but also ensure that they are not reusing that same password anywhere else on the internet.
The actual password database itself seems to have been created some years ago, so there’s some hope that some users will have changed their passwords over the years anyway. But better to be safe than sorry.