denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_news2018-10-04 06:38 pm

(no subject)

Hello all!

A number of people have recieved spam extortion emails in the past week or so containing passwords they've used on social network sites and demanding Bitcoin ransom. Some people have reported the emails included passwords they've used on Dreamwidth in the past, so we've taken the past few days to examine our servers for sign of compromise.

We do not currently believe that we're the source of the data breach that resulted in these emails. With the evidence we have at the moment, augmented by independent work other researchers have done, we're reasonably confident the breach happened on another social network site at least several years ago. If the password in the email matches your Dreamwidth password or a password you've used on Dreamwidth in the past, it's because you used the password on that other site during the time period in question.

We won't name the site yet because they haven't made a public announcement confirming the breach, but if you receive an email containing a password of yours, you should:

* Change your password anywhere else you've ever used that password (or a variant that follows a predictable scheme, like Password+Sitename).

* Install a password manager such as 1Password or LastPass to keep track of your passwords for you, so that you can use unique, complex passwords for each site you have an account on without having to remember (or retype!) them -- this really cuts down on the temptation to use the same password on multiple sites, I've found!

* Sign up for Have I Been Pwned? alerts, or at least check any email address you use regularly in their database, to let you know if a compromised password of yours is being circulated or sold. (HIBP is a legit resource run by a security researcher, and it doesn't ask for or reveal any passwords, just your email address.)

We're leaving comments screened for this post, but if you have any questions, you can ask in our public support area if your question doesn't involve sensitive information, or email if your question involves anything you don't want to be public.

Post a comment in response:

Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
User (will be screened)
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


If you are unable to use this captcha for any reason, please contact us by email at

Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.