Keeping Your Journal Safe
Recently some journals and communities have been broken into, their contents deleted, and their owners locked out. We want to explain how this can happen and give you some steps you can take to help prevent this from happening to your journal or community.
First of all, we would like to dispel the rumor that these break-ins have something to do with the accounts that have recently been friending large numbers of users (sometimes called friending bots). We do not believe these are related. The problem appears to stem from Hotmail's policy of recycling inactive email addresses.
The recent break-ins resulted from hijackers finding and accessing lapsed Hotmail accounts that were used with LiveJournal accounts and publicly displayed on Profile pages in the past. You should be aware that Hotmail recycles email addresses that haven't been used in more than a year. If you validated a Hotmail address for your journal and displayed it publicly in the past, but then let the address lapse, someone who finds and re-registers that address can use it to obtain control of the journal.
Managing Your Email Addresses
The best thing you can do to keep your account safe is to keep your password secure and make sure that you're in control of all the email addresses you have used with your account. We have added a Manage Email Addresses feature that allows you to delete email addresses that are no longer active. If you have been using your current validated email address for at least six months, you can delete all the other addresses associated with your account. If you validated your current email address less than six months ago, you must wait until you've been using it for six months to delete all the other addresses.
The checkboxes will be active if you can delete the address. You can manage your email addresses here.
Keeping Your Community Safe
To keep a community safe, you should remove all inactive maintainers. Make sure that the users listed as maintainers are actively maintaining the community. If any maintainer is no longer part of the community, don't leave them as community maintainers, even for sentimental reasons.
Using the Secret Question and Protecting Your Password
A great way to protect your password is to use the secret question. If you forget your password but no longer have access to the email you used to create your account, the secret question helps us verify that it's really you requesting your password. The secret question is only used when you forget your password or email; you don't need to answer the question when you just want to change your password or email. You can choose from a list of questions or you can create your own. We advise creating your own. The best questions, of course, have answers known only to you, so make sure you haven't inadvertently given away the answer somewhere, like talking about your first pet or where you went to high school on your journal. Another strategy is to make the answer to your secret question completely unrelated to the question. You can set your secret question here.
Even if no one has broken into your account, it's always a good idea to change your password periodically. Going through all the steps in this FAQ from time to time can save you a lot of trouble down the road. And it doesn't hurt to take a peek at your login history now and then, just to make sure it matches your actual activity.
Look Before You Click
Another aspect of the recent community hijackings is the planting of malicious links. Once the hijackers have gained control of a maintainer's email address and used it to remove all the other maintainers, they have been posting entries that may contain links to viruses and malware. Always practice safe clicking. Don't click on anything-even if it's posted by a friend-without hovering your mouse over the link and checking the status bar to make sure that what you're clicking is for real. You should also run any and all spyware/malware/antivirus programs on a regular basis. A basic Google search will turn up a number of free programs that you can use to protect your computer.
We're working on additional solutions to help prevent these kinds of break-ins from happening. The steps outlined in this post are some of the things you can do to help keep your account secure.
First of all, we would like to dispel the rumor that these break-ins have something to do with the accounts that have recently been friending large numbers of users (sometimes called friending bots). We do not believe these are related. The problem appears to stem from Hotmail's policy of recycling inactive email addresses.
The recent break-ins resulted from hijackers finding and accessing lapsed Hotmail accounts that were used with LiveJournal accounts and publicly displayed on Profile pages in the past. You should be aware that Hotmail recycles email addresses that haven't been used in more than a year. If you validated a Hotmail address for your journal and displayed it publicly in the past, but then let the address lapse, someone who finds and re-registers that address can use it to obtain control of the journal.
Managing Your Email Addresses
The best thing you can do to keep your account safe is to keep your password secure and make sure that you're in control of all the email addresses you have used with your account. We have added a Manage Email Addresses feature that allows you to delete email addresses that are no longer active. If you have been using your current validated email address for at least six months, you can delete all the other addresses associated with your account. If you validated your current email address less than six months ago, you must wait until you've been using it for six months to delete all the other addresses.
The checkboxes will be active if you can delete the address. You can manage your email addresses here.
Keeping Your Community Safe
To keep a community safe, you should remove all inactive maintainers. Make sure that the users listed as maintainers are actively maintaining the community. If any maintainer is no longer part of the community, don't leave them as community maintainers, even for sentimental reasons.
Using the Secret Question and Protecting Your Password
A great way to protect your password is to use the secret question. If you forget your password but no longer have access to the email you used to create your account, the secret question helps us verify that it's really you requesting your password. The secret question is only used when you forget your password or email; you don't need to answer the question when you just want to change your password or email. You can choose from a list of questions or you can create your own. We advise creating your own. The best questions, of course, have answers known only to you, so make sure you haven't inadvertently given away the answer somewhere, like talking about your first pet or where you went to high school on your journal. Another strategy is to make the answer to your secret question completely unrelated to the question. You can set your secret question here.
Even if no one has broken into your account, it's always a good idea to change your password periodically. Going through all the steps in this FAQ from time to time can save you a lot of trouble down the road. And it doesn't hurt to take a peek at your login history now and then, just to make sure it matches your actual activity.
Look Before You Click
Another aspect of the recent community hijackings is the planting of malicious links. Once the hijackers have gained control of a maintainer's email address and used it to remove all the other maintainers, they have been posting entries that may contain links to viruses and malware. Always practice safe clicking. Don't click on anything-even if it's posted by a friend-without hovering your mouse over the link and checking the status bar to make sure that what you're clicking is for real. You should also run any and all spyware/malware/antivirus programs on a regular basis. A basic Google search will turn up a number of free programs that you can use to protect your computer.
We're working on additional solutions to help prevent these kinds of break-ins from happening. The steps outlined in this post are some of the things you can do to help keep your account secure.