A database containing credentials from more than 26 million LiveJournal accounts has been leaked online and is being sold on the Dark Web and hacker forums.
The data contained in the files appears to be from a 2014 incident in which 33 million accounts were hacked, according to a published report. Though rumors of that breach have been in circulation for a couple of years – and there is some debate over when it actually occurred – the incident was never officially confirmed by LiveJournal, sources said.
Hackers, however, seem to have been busy using and selling data from the breach to mount attacks, ultimately sharing it with Troy Hunt from Have I Been Pwned. The data-breach notification service added a listing about the LiveJournal leak on Tuesday, citing mid-2019 as the time news of the breach surfaced.
The listing categorizes the breach as having occurred in January 2017, compromising 26,372,781 user accounts; the hackers stole email addresses, passwords and user names for members of the blogging service. A source who requested that the info be attributed to nano@databases[dot]pw turned the info over to Hunt, according to the listing.
“An archive of the data was subsequently shared on a popular hacking forum in May 2020 and redistributed broadly,” according to the listing.
Still, other evidence points to the breach happening sooner, according to another report. A now-defunct data-leak tracking service, We Leak Info, tweeted in July 2019 about a 2014 leak of 33 million LiveJournal accounts.
No matter the timeline, it does seem that LiveJournal was compromised and user information has been in the hands of bad actors for some time, who already have acted on that information with various types of attacks, ranging from the credential stuffing to email-based extortion, according to various sources.
The Have I Been Pawned listing cites “multiple reports of credential abuse” against a company called Dreamwidth, a spinoff of LiveJournal based on its original code base with a significant number of crossover users.
While Dreamwidth never confirmed the attacks, a Twitter user called “definitely not a huge award-winning fanfic author” who claims to be a co-founder of the site tweeted in response to Hunt on Tuesday that the site has definitely seen an uptick in credential-stuffing attacks.
The tweet seems to be backed up by a blog post from Dreamwidth co-founder and former LiveJournal staffer Mark Smith from April, which informs users of an update to the site’s authentication mechanism from outdated and insecure LiveJournal protocols to more secure web infrastructure.
“We are making some changes to how we do authentication (how you log in) that will unfortunately break a number of older clients that you might be using to talk to Dreamwidth,” he wrote, “This is very unfortunate, but we think that the tradeoffs in improved security are very much worth it.”
The post stops short, however, at acknowledging that any attacks were occurring based on data leaked from a LiveJournal breach.
“We do not believe, and have no evidence of, our database ever being leaked or accessed other than by the three staff members who maintain Dreamwidth’s infrastructure,” Smith wrote. “We are making these changes not because of some extrinsic motivation but because we believe that they’re the right thing to do.”
Meanwhile, there is earlier evidence from a couple of years ago that shows threat attackers using LiveJournal data for other scams.
A Twitter user who responded to a tweet by Hunt in 2018 – when rumors were circulating about a potential unconfirmed LiveJournal breach–said that hackers tried to extort money from him based on acquiring data from the breach. Freelance software engineer Alexander Mikhailian said his LiveJournal password was leaked and he received an extortion letter “asking to transfer $800 [in] bitcoins or else.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.