denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_news2018-10-04 06:38 pm

(no subject)

Hello all!

A number of people have recieved spam extortion emails in the past week or so containing passwords they've used on social network sites and demanding Bitcoin ransom. Some people have reported the emails included passwords they've used on Dreamwidth in the past, so we've taken the past few days to examine our servers for sign of compromise.

We do not currently believe that we're the source of the data breach that resulted in these emails. With the evidence we have at the moment, augmented by independent work other researchers have done, we're reasonably confident the breach happened on another social network site at least several years ago. If the password in the email matches your Dreamwidth password or a password you've used on Dreamwidth in the past, it's because you used the password on that other site during the time period in question.

We won't name the site yet because they haven't made a public announcement confirming the breach, but if you receive an email containing a password of yours, you should:

* Change your password anywhere else you've ever used that password (or a variant that follows a predictable scheme, like Password+Sitename).

* Install a password manager such as 1Password or LastPass to keep track of your passwords for you, so that you can use unique, complex passwords for each site you have an account on without having to remember (or retype!) them -- this really cuts down on the temptation to use the same password on multiple sites, I've found!

* Sign up for Have I Been Pwned? alerts, or at least check any email address you use regularly in their database, to let you know if a compromised password of yours is being circulated or sold. (HIBP is a legit resource run by a security researcher, and it doesn't ask for or reveal any passwords, just your email address.)

We're leaving comments screened for this post, but if you have any questions, you can ask in our public support area if your question doesn't involve sensitive information, or email if your question involves anything you don't want to be public.