LJ Passwords may have been compromised
This is from Dreamwidth alerting those who use both LJ and Dreamwidth about a data breach:
tl;dr: Change your passwords on LJ and Dreamwidth
* Many legitimate older accounts have been broken into this week and used for spamming.
* This is not a security issue with Dreamwidth itself: we've confirmed the hijacked accounts were compromised through password re-use.
* Our investigation makes us think this is connected to 2020's LiveJournal security incident.
* For your safety, treat any password you have ever used on LiveJournal, on any account, at any point, as compromised.
* Do not reuse any password you have ever used on LiveJournal on any other site, but especially on Dreamwidth.
* If your Dreamwidth password is the same as any password you've ever used on LiveJournal, on any account, at any point, change it now.
* Please install a password manager, let it generate your passwords for you, and use it to remember your passwords.
The longer explanation:
Many folks have noticed a rash of accounts that have been broken in and used for spamming this week. After some investigation (and we're grateful to the information provided by the people who have been able to resecure their accounts!) we believe this is continuing fallout from an incident that security researchers have concluded was an ongoing, undisclosed password database compromise on LiveJournal.com, covering at least the time period between 2014 and 2017 and potentially covering a much wider range of dates.
During that period in 2020 when a password file claiming to be the passwords of 20+ million LiveJournal user accounts began more widely circulating on the black market, and after we disclosed the incident to our users because of the very high rate of user overlap and password reuse between our site and LiveJournal, LiveJournal released a statement claiming that the data contained in the black market password file was fabricated and the source of the data was not a LiveJournal compromise. They continue to deny that any of the records in that file are legitimate.
We do not believe LiveJournal's statement is accurate. At the time of the incident, we were able to obtain that black market password file, and we verified the accuracy of multiple records contained in the file, for LiveJournal accounts belonging to DW staff and volunteers and LiveJournal accounts belonging to a representative sample of helpful users we contacted to verify the accuracy of the records. Our examination of a representative sample of the file, both with our own accounts and the accounts of the users who helped us verify it, did not produce a single record that was not accurate: every record we examined, from an extremely thorough representative sample, was an accurate record of a password that had been used on the LiveJournal account in question at some point in the past. Our research into the accuracy of those records is what let us tentatively date the file as containing records from at least 2014-2017. This makes us believe it was not a one-time incident, but an ongoing security issue in which intruders were able to access the LiveJournal password database at multiple dates.
Troy Hunt, the security researcher who runs the service Have I Been Pwned, conducted his own independent research with his subscribers, which we assisted with, and he also concluded that the source of the data was legitimate and the file was a legitimate record of passwords that had been used on LiveJournal in the past. The data from that file is loaded into Have I Been Pwned, and if your email address and password was in that black market password file, it will be returned as a result if you enter your email address in Have I Been Pwned.
At the time of the incident, and once we were able to obtain access to the alleged LiveJournal password file circulating on the black market, we took steps to forcibly change the passwords of any user whose email address and password on Dreamwidth matched an email address and password present in the alleged LiveJournal password file. We also made upgrades to our password storage and handling at the time that would hopefully reduce the potential security risk to Dreamwidth users who had reused their passwords from LiveJournal and to prevent the use of passwords that appear in that alleged LiveJournal password file. However, this week's rash of account breakins have occurred among people who have confirmed that their Dreamwidth password had previously been used on LiveJournal, and several of them have confirmed their data did not appear in 2020's alleged LiveJournal black-market password file.
We don't know (and we probably will never know for certain) if there's an additional password file circulating, if the person who assembled the 2020 alleged LiveJournal black market password file held back additional records so that they could sell them later, or if there has been an additional security incident in which someone was allegedly able to obtain access to a newer LiveJournal password database and assemble a file that contains records from a later time period than we believe we were able to reliably date the information in the 2020 black market file.
At this point, for your own account safety, we must recommend that you act as though any password you have ever used on LiveJournal, at any point, for any account, at any time, even if it is not your current LiveJournal password, has been potentially compromised. Do not use that password on any other site, but especially on Dreamwidth. (Because of the high overlap of users between LiveJournal and Dreamwidth, anyone with access to a password file that claims to be LiveJournal passwords will also immediately try those email address and password combinations on Dreamwidth as well, because people reuse passwords across sites so frequently.)
If your Dreamwidth password is the same as any password you have ever used on LiveJournal, for any account, at any point, even if it is not your current LiveJournal password, please change it immediately by going to the Change Password page. Use a strong password that you have never used on any other site. We strongly recommend that you install and use a password manager that will generate and remember the passwords for you: two that our staff and volunteers use and like are 1Password and Bitwarden. (We've previously also mentioned a program called LastPass; we no longer recommend it because of their mishandling of their own recent security incident. Neither 1Password nor Bitwarden sponsor us, we have no financial connection to them, and we receive no benefit from those recommendations: we just use the services ourselves and are satisfied with them.)
Again, to be clear, this is not a security incident with Dreamwidth itself: we have no reason to believe that we've had any security problems, and we do actively monitor and look for them. The issue on Dreamwidth is that people have used the same password they've used for LiveJournal, and to the best of our ability to determine from the outside, we believe LiveJournal has been unable to fully resolve the security incident that resulted in a password file circulating on the black market in 2020. If your Dreamwidth password is one that you've never used on LiveJournal, you don't have to take any action. If your Dreamwidth password is the same as one you've ever used on LiveJournal, at any point, for any account, even if it isn't your current LiveJournal password, please immediately change your password on both sites and make sure that you never reuse your LiveJournal password on any other site ever again.
Our recommendation to treat any password you have ever used on LiveJournal as actively compromised and likely to be exploited will continue to be in force until LiveJournal is willing to publicly disclose the results of their investigation into the source of the 2020 black market password file, their conclusions as to how the author of that file was able to assemble 20 million records with an extremely high rate of accuracy as determined by the representative sampling verification of multiple security researchers, and the steps they've taken to resolve the attack vector used by the author of that file so that the attack vector can't be used again to assemble newer records. We also strongly recommend that you treat any public disclosure from LiveJournal as suspect unless it is accompanied by a report from an independent security research team verifying the accuracy of its contents.
All comments on
dw_news entries relating to security issues are screened. If you have a question that we believe would benefit from a public answer, we may unscreen your comment when we reply to it.
tl;dr: Change your passwords on LJ and Dreamwidth
* Many legitimate older accounts have been broken into this week and used for spamming.
* This is not a security issue with Dreamwidth itself: we've confirmed the hijacked accounts were compromised through password re-use.
* Our investigation makes us think this is connected to 2020's LiveJournal security incident.
* For your safety, treat any password you have ever used on LiveJournal, on any account, at any point, as compromised.
* Do not reuse any password you have ever used on LiveJournal on any other site, but especially on Dreamwidth.
* If your Dreamwidth password is the same as any password you've ever used on LiveJournal, on any account, at any point, change it now.
* Please install a password manager, let it generate your passwords for you, and use it to remember your passwords.
The longer explanation:
Many folks have noticed a rash of accounts that have been broken in and used for spamming this week. After some investigation (and we're grateful to the information provided by the people who have been able to resecure their accounts!) we believe this is continuing fallout from an incident that security researchers have concluded was an ongoing, undisclosed password database compromise on LiveJournal.com, covering at least the time period between 2014 and 2017 and potentially covering a much wider range of dates.
During that period in 2020 when a password file claiming to be the passwords of 20+ million LiveJournal user accounts began more widely circulating on the black market, and after we disclosed the incident to our users because of the very high rate of user overlap and password reuse between our site and LiveJournal, LiveJournal released a statement claiming that the data contained in the black market password file was fabricated and the source of the data was not a LiveJournal compromise. They continue to deny that any of the records in that file are legitimate.
We do not believe LiveJournal's statement is accurate. At the time of the incident, we were able to obtain that black market password file, and we verified the accuracy of multiple records contained in the file, for LiveJournal accounts belonging to DW staff and volunteers and LiveJournal accounts belonging to a representative sample of helpful users we contacted to verify the accuracy of the records. Our examination of a representative sample of the file, both with our own accounts and the accounts of the users who helped us verify it, did not produce a single record that was not accurate: every record we examined, from an extremely thorough representative sample, was an accurate record of a password that had been used on the LiveJournal account in question at some point in the past. Our research into the accuracy of those records is what let us tentatively date the file as containing records from at least 2014-2017. This makes us believe it was not a one-time incident, but an ongoing security issue in which intruders were able to access the LiveJournal password database at multiple dates.
Troy Hunt, the security researcher who runs the service Have I Been Pwned, conducted his own independent research with his subscribers, which we assisted with, and he also concluded that the source of the data was legitimate and the file was a legitimate record of passwords that had been used on LiveJournal in the past. The data from that file is loaded into Have I Been Pwned, and if your email address and password was in that black market password file, it will be returned as a result if you enter your email address in Have I Been Pwned.
At the time of the incident, and once we were able to obtain access to the alleged LiveJournal password file circulating on the black market, we took steps to forcibly change the passwords of any user whose email address and password on Dreamwidth matched an email address and password present in the alleged LiveJournal password file. We also made upgrades to our password storage and handling at the time that would hopefully reduce the potential security risk to Dreamwidth users who had reused their passwords from LiveJournal and to prevent the use of passwords that appear in that alleged LiveJournal password file. However, this week's rash of account breakins have occurred among people who have confirmed that their Dreamwidth password had previously been used on LiveJournal, and several of them have confirmed their data did not appear in 2020's alleged LiveJournal black-market password file.
We don't know (and we probably will never know for certain) if there's an additional password file circulating, if the person who assembled the 2020 alleged LiveJournal black market password file held back additional records so that they could sell them later, or if there has been an additional security incident in which someone was allegedly able to obtain access to a newer LiveJournal password database and assemble a file that contains records from a later time period than we believe we were able to reliably date the information in the 2020 black market file.
At this point, for your own account safety, we must recommend that you act as though any password you have ever used on LiveJournal, at any point, for any account, at any time, even if it is not your current LiveJournal password, has been potentially compromised. Do not use that password on any other site, but especially on Dreamwidth. (Because of the high overlap of users between LiveJournal and Dreamwidth, anyone with access to a password file that claims to be LiveJournal passwords will also immediately try those email address and password combinations on Dreamwidth as well, because people reuse passwords across sites so frequently.)
If your Dreamwidth password is the same as any password you have ever used on LiveJournal, for any account, at any point, even if it is not your current LiveJournal password, please change it immediately by going to the Change Password page. Use a strong password that you have never used on any other site. We strongly recommend that you install and use a password manager that will generate and remember the passwords for you: two that our staff and volunteers use and like are 1Password and Bitwarden. (We've previously also mentioned a program called LastPass; we no longer recommend it because of their mishandling of their own recent security incident. Neither 1Password nor Bitwarden sponsor us, we have no financial connection to them, and we receive no benefit from those recommendations: we just use the services ourselves and are satisfied with them.)
Again, to be clear, this is not a security incident with Dreamwidth itself: we have no reason to believe that we've had any security problems, and we do actively monitor and look for them. The issue on Dreamwidth is that people have used the same password they've used for LiveJournal, and to the best of our ability to determine from the outside, we believe LiveJournal has been unable to fully resolve the security incident that resulted in a password file circulating on the black market in 2020. If your Dreamwidth password is one that you've never used on LiveJournal, you don't have to take any action. If your Dreamwidth password is the same as one you've ever used on LiveJournal, at any point, for any account, even if it isn't your current LiveJournal password, please immediately change your password on both sites and make sure that you never reuse your LiveJournal password on any other site ever again.
Our recommendation to treat any password you have ever used on LiveJournal as actively compromised and likely to be exploited will continue to be in force until LiveJournal is willing to publicly disclose the results of their investigation into the source of the 2020 black market password file, their conclusions as to how the author of that file was able to assemble 20 million records with an extremely high rate of accuracy as determined by the representative sampling verification of multiple security researchers, and the steps they've taken to resolve the attack vector used by the author of that file so that the attack vector can't be used again to assemble newer records. We also strongly recommend that you treat any public disclosure from LiveJournal as suspect unless it is accompanied by a report from an independent security research team verifying the accuracy of its contents.
All comments on
dw_news entries relating to security issues are screened. If you have a question that we believe would benefit from a public answer, we may unscreen your comment when we reply to it.