LiveJournal passwords exposed ☹

May 26, 2020 19:49

Tue May 26 19:49:55 EDT 2020

I'm one of 26,372,781 people pwned in the LiveJournal data breach.
I've been pwned!
I signed up for notifications when my account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:
Email found:[oneofmine]@comcast.net Breach:LiveJournal Date of breach:1 Jan 2017 Number of accounts:26,372,781 Compromised data:Email addresses, Passwords, Usernames Description:In mid-2019, news broke of an alleged LiveJournal data breach. This followed multiple reports of credential abuse against Dreamwidth beginning in 2018, a fork of LiveJournal with a significant crossover in user base. The breach allegedly dates back to 2017 and contains 26M unique usernames and email addresses (both of which have been confirmed to exist on LiveJournal) alongside plain text passwords. An archive of the data was subsequently shared on a popular hacking forum in May 2020 and redistributed broadly. The data was provided to HIBP by a source who requested it be attributed to "nano@databases.pw".
The good thing is that my LJ account names aren't used other places; one is the same on Dreamwidth, and my DW and LJ passwords are different. But the LJ passwords are linked to the email addresses for the accounts (and email addresses are used lots of places).
LJ insisted I change my passwords a couple of weeks ago. This breach happened 3 years ago? It's rather late for damage control.Whilst the breach occurred in January 2017, sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly. Have I Been Pwned will always attempt to alert you ASAP, it's just a question of how readily available the data is.
I recommend ';--have i been pwned? I don't hear from them often, but I usually hear from them sooner than I hear from the organizations that leaked my passwords - assuming they'll admit to it. Like LJ saying their "password requirements have been updated" - while that may be true, changing password(s) on LJ protects only them; it doesn't protect other sites where LJ users have reused passwords. It doesn't tell people they should no longer be using that old, exposed password anywhere else.

Tuesday 22:24

About 3½ hours after I got email from HIBP, I got emails from DW (presumably matching my LJ accounts) about this LJ breach. (Given that it would take some time to get the pwned list and match it against DW accounts and then crank out mass mailings, the DW team continue to impress.)We've contacted LiveJournal about our findings several times, and they've told us each time that they don't believe the situation warrants disclosure to their users.
LJ continues to impress in a negative way.However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.
... it's best if you treat any password you've ever used on LiveJournal in the past as compromised, since we can't tell for certain when the alleged breach happened.
These passwords are tied to the accounts' associated email addresses, not just the LJ account names.

Tuesday 22:26

I now have more notices from DW than I have accounts on LJ. (So the emails don't match the accounts.)

Friday 04:37

I just got a pop-up from Firefox (re-)loading a LiveJournal page:Have an account on this site?
More than 20,000,000 accounts from
LiveJournal were compromised in 2016.
Check Firefox Monitor to see if yours is at
risk.
https://monitor.firefox.com/?breach=LiveJournal&utm_source=firefox&utm_medium=popupWas your info exposed in the LiveJournal data breach?
Stay safe: Get email alerts when your info appears in a known breach
Search for your email address in public data breaches going back to 2007.

About Firefox Monitor
Firefox Monitor warns if your online accounts were involved in a data breach. Find out if you’ve been in a data breach, get alerts about new breaches, and take steps to protect your online accounts. Firefox Monitor is provided by Mozilla.

[This entry was originally posted as https://syntonic-comma.dreamwidth.org/1149425.html on Dreamwidth (where there are
comments).]

privacy, firefox, dw, passwords, security, lj

Previous post Next post
Up