Archive Industry News

26 million LiveJournal users warned that their passwords have been breached

26 million LiveJournal users warned that their passwords have been breached

On underground criminal marketplaces the email addresses and plaintext passwords of over 26 million LiveJournal blogging accounts are being traded, despite LiveJournal’s owners refusing to acknowledge that any security breach has occurred.

The first rumours of a major security incident involving LiveJournal passwords first began bubbling up in October 2018, when data breach expert Troy Hunt tweeted that he had received multiple reports of a compromise after users complained they had received sextortion emails quoting passwords they said they only used on the platform.

At the same time Dreamwidth, a blogging platform forked from LiveJournal’s code, warned that it had also received reports of spam extortion emails demanding a Bitcoin ransom.

Dreamwidth said then that it did not believe that its own site was the source of the data breach which fuelled the emails, and declined to name the site in question “because they haven’t made a public announcement confirming the breach.”

Yesterday, however, Dreamwidth publicly named LiveJournal as the likely source of the hacked data. Worryingly, according to Dreamwidth, LiveJournal does not seem inclined to tell its users of the breach.

“We’ve contacted LiveJournal about our findings several times, and they’ve told us each time that they don’t believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.”

Dreamwidth says that it has in the past been the victim of credential-stuffing attacks, seemingly powered by the usernames and passwords stolen from LiveJournal.

Troy Hunt’s HaveIBeenPwned service has a copy of the breached data, and earlier today an alert was sent out to the owners of 26,372,781 LiveJournal accounts that those passwords should be considered compromised.

Clearly, it would be advisable for affected users to not only change their LiveJournal password, but also ensure that they are not reusing that same password anywhere else on the internet.

The actual password database itself seems to have been created some years ago, so there’s some hope that some users will have changed their passwords over the years anyway. But better to be safe than sorry.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.