A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums.
The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users.
After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected users can use to check whether they’ve been affected. He also dated the data dump to 2017 because the year was included in the data dump’s file name.
When did the breach happen?
The story of this data breach and leak is an interesting one.
There have been rumors about a supposed LiveJournal breach for years, though the blogging platform, which is owned by Russian media company Rambler Media Group, never confirmed them.
Back in 2018, Hunt received reports about a sextortion campaign targeting LiveJournal users and using their passwords:
— Troy Hunt (@troyhunt) October 11, 2018
Denise Paolucci, one of the owners of Dreamwidth, an online journal service based on the LiveJournal codebase (and with a significant crossover in user base), said on Tuesday that the data dump has been available on the black market since at least October of 2018, when they first reported people getting spam extortion emails with passwords in them.
“Beginning in March of 2020, and again in May of 2020, we saw several instances of Dreamwidth accounts being broken into and used for spam. We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data. Every user we asked whether they had used the compromised password on LiveJournal before confirmed that they had,” she explained.
“We have no way to tell for sure whether LiveJournal has actually had a data breach, or whether the file that’s circulating is real or fake. All we can say for certain is that none of the evidence we’ve seen has disproven the claim made by the people offering the file that the file contains usernames and passwords taken from LiveJournal. We’ve contacted LiveJournal about our findings several times, and they’ve told us each time that they don’t believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.”
Advice for companies and affected users
“Breaches happen all too often and, unfortunately, companies do not always disclose them. This breach illustrates a bigger issue beyond just LiveJournal. Delaying announcements to consumers about breaches can have a long-lasting impact on those affected,” said Joe Skocich, Vice President at security company Identité.
“In this case, hackers stole email addresses, passwords and usernames that consumers most likely use for other accounts and could lead to even more personal information being shared. Since consumers can’t rely on breach notifications to be timely or to even come at all, outdated log-in systems that make consumers more susceptible to attacks need to be retired.”
Past and current LiveJournal users are advised to change their passwords to a new, long and unique one and to do the same on any other account where they used the same one.