![[staff profile]](https://www.dreamwidth.org/img/silk/identity/user_staff.png){kind=small}
PSA: Likely LiveJournal password compromise
UPDATE 28 May 2020 12:30PM EDT (jump to original post): We have sent out notices to a number of people who were affected by this alleged LiveJournal password compromise, informing you that you need to change your password. We accidentally failed to filter for two scenarios, so:
* Some accounts that have been deleted and purged accidentally got sent the password change notice. I am so sorry! You can safely ignore the email regarding any deleted and purged account. This has also made us realize that the user purge function is not properly removing at least one piece of user data (email address) that should be removed when an account is deleted and purged. We apologize profusely for that as well: we didn't look closely at the behavior of that function when we forked from LJ's codebase in 2008 (or since, obviously), and we should have. When this immediate issue is handled, we will closely audit that function to make sure it's nuking everything it should be nuking, and we will go back and remove everything from deleted and purged accounts in our database that should have been removed in the first place.
* Some people who had previously reused passwords, but who changed their password on Dreamwidth on or after 26 April 2020 (when we made a number of changes to how we handle and store passwords), accidentally got a copy of the email saying that their password would be reset in 3 days. I apologize for that as well! That was our mistake in forgetting to account for some of the changes in how we handle passwords when we tried to identify the DW accounts that were at risk. We will absolutely make the correction before we force password resets.
UPDATE 27 May 2020 3:55PM EDT: LiveJournal has issued a statement including "...we analyzed data appeared and can say that the data may be compiled using different sources and mostly falsified." After reviewing their statement, we are not changing our recommendation that you should consider your LiveJournal passwords compromised.
*
ORIGINAL POST 26 May 2020 9:15PM EDT:
Have I Been Pwned?, the notification service for password breach incidents, has now loaded a file of 26 million accounts containing usernames, email addresses, and passwords that allegedly were taken from LiveJournal at some point several years ago.
The information in this file has been available on the black market since at least October of 2018, when we first reported people getting spam extortion emails with passwords in them. Our investigation at the time showed that we were not the likely source of the password data in those extortion emails, and that the likely source was a breach from LiveJournal.
Beginning in March of 2020, and again in May of 2020, we saw several instances of Dreamwidth accounts being broken into and used for spam. We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data. Every user we asked whether they had used the compromised password on LiveJournal before confirmed that they had.
We have no way to tell for sure whether LiveJournal has actually had a data breach, or whether the file that's circulating is real or fake. All we can say for certain is that none of the evidence we've seen has disproven the claim made by the people offering the file that the file contains usernames and passwords taken from LiveJournal. We've contacted LiveJournal about our findings several times, and they've told us each time that they don't believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.
We've seen several contradictory claims about when the file was allegedly gathered from LiveJournal: one claim for June/July of 2014, and one claim for sometime in 2017. From what we've learned from our users who we've spoken to about their accounts, we believe the 2014 claim is more likely to be accurate and that the person(s) who obtained the data in 2014 didn't use it for several years, but we can't say for certain. Because of that uncertainty, it's best if you treat any password you've ever used on LiveJournal in the past as compromised, since we can't tell for certain when the alleged breach happened.
Since the first indications in March that someone or someones have been trying the information in that file against Dreamwidth accounts, we've been working to identify and notify the Dreamwidth accounts we felt were most at risk. With the alleged password file now more widely available, and the information loaded into Have I Been Pwned, we will be contacting more Dreamwidth users who may have reused their passwords from LiveJournal to change their passwords and resecure their accounts.
If you get an email from us about changing your password that points to this news post, the email is legitimate, and you should change your password as soon as possible, on Dreamwidth and on any other site you may have used it on, including LiveJournal. To verify that any password email you receive is actually from us, log into your Dreamwidth account and visit the home page or![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png)
dw_news, and look for a post like this one confirming that the message is legitimate.
We'd also like to urge you to regularly look up your email addresses in Have I Been Pwned? to see if your information appears in this (or any other!) password breach. It's a legitimate site that provides a valuable security resource.
*
All comments to security-related posts are automatically screened. If you need to contact someone about your account, please open a support request in the Terms of Service category, and someone will get back to you as soon as possible. Comment notification emails may also be delayed for up to several hours after a news post is posted. (We think we've managed to squash the receiving-multiple-copies-of-news-post-emails problem this time, but if you get multiple copies again, we're sorry!)(EDIT: Yup, this fix didn't work either and we're still sending multiples. We're still sorry!)
* Some accounts that have been deleted and purged accidentally got sent the password change notice. I am so sorry! You can safely ignore the email regarding any deleted and purged account. This has also made us realize that the user purge function is not properly removing at least one piece of user data (email address) that should be removed when an account is deleted and purged. We apologize profusely for that as well: we didn't look closely at the behavior of that function when we forked from LJ's codebase in 2008 (or since, obviously), and we should have. When this immediate issue is handled, we will closely audit that function to make sure it's nuking everything it should be nuking, and we will go back and remove everything from deleted and purged accounts in our database that should have been removed in the first place.
* Some people who had previously reused passwords, but who changed their password on Dreamwidth on or after 26 April 2020 (when we made a number of changes to how we handle and store passwords), accidentally got a copy of the email saying that their password would be reset in 3 days. I apologize for that as well! That was our mistake in forgetting to account for some of the changes in how we handle passwords when we tried to identify the DW accounts that were at risk. We will absolutely make the correction before we force password resets.
UPDATE 27 May 2020 3:55PM EDT: LiveJournal has issued a statement including "...we analyzed data appeared and can say that the data may be compiled using different sources and mostly falsified." After reviewing their statement, we are not changing our recommendation that you should consider your LiveJournal passwords compromised.
*
ORIGINAL POST 26 May 2020 9:15PM EDT:
Have I Been Pwned?, the notification service for password breach incidents, has now loaded a file of 26 million accounts containing usernames, email addresses, and passwords that allegedly were taken from LiveJournal at some point several years ago.
The information in this file has been available on the black market since at least October of 2018, when we first reported people getting spam extortion emails with passwords in them. Our investigation at the time showed that we were not the likely source of the password data in those extortion emails, and that the likely source was a breach from LiveJournal.
Beginning in March of 2020, and again in May of 2020, we saw several instances of Dreamwidth accounts being broken into and used for spam. We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data. Every user we asked whether they had used the compromised password on LiveJournal before confirmed that they had.
We have no way to tell for sure whether LiveJournal has actually had a data breach, or whether the file that's circulating is real or fake. All we can say for certain is that none of the evidence we've seen has disproven the claim made by the people offering the file that the file contains usernames and passwords taken from LiveJournal. We've contacted LiveJournal about our findings several times, and they've told us each time that they don't believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.
We've seen several contradictory claims about when the file was allegedly gathered from LiveJournal: one claim for June/July of 2014, and one claim for sometime in 2017. From what we've learned from our users who we've spoken to about their accounts, we believe the 2014 claim is more likely to be accurate and that the person(s) who obtained the data in 2014 didn't use it for several years, but we can't say for certain. Because of that uncertainty, it's best if you treat any password you've ever used on LiveJournal in the past as compromised, since we can't tell for certain when the alleged breach happened.
Since the first indications in March that someone or someones have been trying the information in that file against Dreamwidth accounts, we've been working to identify and notify the Dreamwidth accounts we felt were most at risk. With the alleged password file now more widely available, and the information loaded into Have I Been Pwned, we will be contacting more Dreamwidth users who may have reused their passwords from LiveJournal to change their passwords and resecure their accounts.
If you get an email from us about changing your password that points to this news post, the email is legitimate, and you should change your password as soon as possible, on Dreamwidth and on any other site you may have used it on, including LiveJournal. To verify that any password email you receive is actually from us, log into your Dreamwidth account and visit the home page or
dw_news, and look for a post like this one confirming that the message is legitimate.We'd also like to urge you to regularly look up your email addresses in Have I Been Pwned? to see if your information appears in this (or any other!) password breach. It's a legitimate site that provides a valuable security resource.
*
All comments to security-related posts are automatically screened. If you need to contact someone about your account, please open a support request in the Terms of Service category, and someone will get back to you as soon as possible. Comment notification emails may also be delayed for up to several hours after a news post is posted. (We think we've managed to squash the receiving-multiple-copies-of-news-post-emails problem this time, but if you get multiple copies again, we're sorry!)(EDIT: Yup, this fix didn't work either and we're still sending multiples. We're still sorry!)
no subject
A non-exhaustive list of options that have good reps within the security community:
- LastPass (has a free plan)
- 1Password
- Dashlane
- KeePass (free and open source, but more work to set up)
- BitWarden (has free plan, also open source)
Pick one based on your financial situation/supported browsers and devices/comfort with entrusting syncing to a third party (the way basically all of these work, the online service only sees and stores your encrypted data vault - decryption is done locally on your device to give access to the passwords)
no subject
no subject
We can't answer any questions about the alleged LiveJournal password file, or whether it's legitimate, or what may have happened -- we don't know those answers! The extent of what we know is that there's a file claiming to be LiveJournal passwords, that many people whose information appears in that file have confirmed their particular record is correct, and that we believe at least some information contained in that file has been used to log into Dreamwidth accounts that have the same password on Dreamwidth as the password recorded in the file.