26 million LiveJournal credentials leaked online, sold on the dark web

LiveJournal credentials were obtained in a 2014 hack, but leaked online earlier this month.

livejournal

Image: Rambler Group, ZU photography

Blogging platform LiveJournal appears to have suffered a security breach in 2014, according to multiple hackers who are now selling and freely trading the company's user database on the dark web and on hacking forums, ZDNet has learned.

For some, this might be old news. Rumors about a LiveJournal security breach have been circulating online for almost two years. The earliest talks appeared in October 2018 when multiple users reported receiving their unique/old LiveJournal passwords as part of sextortion email spam campaigns.

While a breach was never confirmed at the time, rumors didn't stop either. For the past months, DreamWidth, a blogging platform forked from the old LiveJournal codebase has also been under assault.

In a series of blog posts and tweets published over the past weeks, DreamWidth says it has been targeted by multiple credential stuffing attacks. The company says hackers used old LiveJournal username and password combinations to breach DreamWidth accounts -- since the two platforms share the same codebase and users -- and post spam messages on its site.

But in spite of all the evidence supporting the fact that hackers have gained access to a large number of LiveJournal credentials, the Rambler Group, the company which owns LiveJournal, has declined to formally acknowledge a breach in its previous communications with DreamWidth administrators.

However, earlier today, these rumors appear to have been confirmed when the Have I Been Pwned (HIBP) data breach indexing service announced that it received a copy of the LiveJournal user database and indexed it on its website.

According to HIBP, the data contained the usernames, emails, and plaintext passwords of 26,372,781 LiveJournal users.

LiveJournal database has been around for months, years

With the help of threat intelligence firm KELA, ZDNet has confirmed the existence of the LiveJournal stolen database and has tracked down copies and mentions of user data in multiple locations across the hacking underground.

For starters, we identified multiple ads posted by data brokers. In these ads, hackers were selling or willing to buy the LiveJournal database. The ads, some going back for months, suggest that many threat actors were very much aware of the stolen LiveJournal data, despite the company failing to identify the 2014 security breach.

From these ads it appears that after the 2014 intrusion, hackers traded the LiveJournal data in private, with the user database making its way through the hands of several threat actors, such as spam groups and brute-forcing botnets.

However, as the data got traded over and over again, it also leaked online. The first mention that the LiveJournal database became broadly available was in July 2019, when now-defunct data breach indexing service WeLeakInfo announced it obtained a copy of the LiveJournal database, which it added to its service.

As time went by, the data also became more broadly available. Recent sightings include an ad on a dark web marketplace, where the LiveJournal database was listed for sale for the lowly price of $35. (Ad says 33 million records, but after removing duplicates, the data is only 26.3 million records.)

lj-dark-web.png

Image: ZDNet

But the data did not remain up for sale for long. Days after being made available on the dark web, the same LiveJournal database was also shared on a well-known hacking forum, from where it began almost immediately broadly circulating as a free download on Telegram channels and file-sharing portals.

lj-forum.png

Image: ZDNet

Currently, the DreamWidth platform is still suffering from credential stuffing attacks using old LiveJournal credentials, but the company is rolling out updates. However, the risk is not limited to DreamWidth accounts. It's just more visible because the two platforms have a shared history.

Users who used their old LiveJournal usernames and passwords on other sites are also at risk of having their accounts hijacked following credential-stuffing attacks.

LiveJournal users can visit the HIBP portal and check if their credentials have been included in the data trove stolen by hackers back in 2014.

Users who changed their LiveJournal password since 2014 are most likely safe. However, users are advised to change the passwords of other online accounts where they re-used their old LiveJournal credentials.

Even if the LiveJournal database is old, has circulated in private, and has been abused for years, this doesn't mean users should slack on their personal security.

Approached for comment, the Rambler Group has provided the following statement following Have I Been Pwned indexing a copy of what's alleged to be its old 2014 user database. In effect, the company has denied that hackers had gained access to its systems, and that the data was merely compiled across the years from different sources, such as malware infections (stolen from users' browsers) or brute-force attacks (hackers guessed the passwords of LiveJournal users).

We constantly maintain monitoring and strive to ensure that our users feel as safe and protected as possible. We analyzed data appeared and can say that the data may be compiled using different sources and mostly falsified.

We encountered cases of brute-force attacks in 2011-2012. We have implemented suspicious activity system to track and block suspicious logins since then, and have improved our password storage mechanics. We have developed all of the necessary protocols for unauthorized account usage attempts.

We alert our users regularly to the necessity of updating their password. We have disabled passwords that were not updated for extended period of time. Users experiencing troubles accessing their accounts can submit a support request to get assistance.


Updated on May 27 at 13:30 ET with statement from the Rambler Group.