Hackers Sell Data From 26 Million LiveJournal Users On Dark Web
A database containing credentials from more than 26 million LiveJournal accounts has been leaked online and is being sold on the Dark Web and hacker forums. The data contained in the files appears to be from a 2014 incident in which 33 million accounts were hacked, according to a published report. Though rumors of that breach have been in circulation for a couple of years and there is some debate over when it actually occurred the incident was never officially confirmed by LiveJournal, sources said.
For some, this might be old news. Rumors about a LiveJournal security breach have been circulating online for almost two years. The earliest talks appeared in October 2018 when multiple users reported receiving their unique/old LiveJournal passwords as part of sextortion email spam campaigns. While a breach was never confirmed at the time, rumors didn’t stop either. For the past months, DreamWidth, a blogging platform forked from the old LiveJournal codebase has also been under assault.
In a series of blog posts and tweets published over the past weeks, DreamWidth says it has been targeted by multiple credential stuffing attacks. The company says hackers used old LiveJournal username and password combinations to breach DreamWidth accounts since the two platforms share the same codebase and users — and post spam messages on its site. But in spite of all the evidence supporting the fact that hackers have gained access to a large number of LiveJournal credentials, the Rambler Group, the company which owns LiveJournal, has declined to formally acknowledge a breach in its previous communications with DreamWidth administrators.
However, earlier today, these rumors appear to have been confirmed when the Have I Been Pwned (HIBP) data breach indexing service announced that it received a copy of the LiveJournal user database and indexed it on its website.
According to HIBP, the data contained the usernames, emails, and plaintext passwords of 26,372,781 LiveJournal users.
LiveJournal database has been around for months, years
With the help of threat intelligence firm KELA, ZDNet has confirmed the existence of the LiveJournal stolen database and has tracked down copies and mentions of user data in multiple locations across the hacking underground. For starters, we identified multiple ads posted by data brokers. In these ads, hackers were selling or willing to buy the LiveJournal database. The ads, some going back for months, suggest that many threat actors were very much aware of the stolen LiveJournal data, despite the company failing to identify the 2014 security breach.
From these ads it appears that after the 2014 intrusion, hackers traded the LiveJournal data in private, with the user database making its way through the hands of several threat actors, such as spam groups and brute-forcing botnets. However, as the data got traded over and over again, it also leaked online. The first mention that the LiveJournal database became broadly available was in July 2019, when now-defunct data breach indexing service WeLeakInfo announced it obtained a copy of the LiveJournal database, which it added to its service.
“Breaches happen all too often and, unfortunately, companies do not always disclose them. This breach illustrates a bigger issue beyond just LiveJournal. Delaying announcements to consumers about breaches can have a long-lasting impact on those affected,” said Joe Skocich, Vice President at security company Identité.
“In this case, hackers stole email addresses, passwords and usernames that consumers most likely use for other accounts and could lead to even more personal information being shared. Since consumers can’t rely on breach notifications to be timely or to even come at all, outdated log-in systems that make consumers more susceptible to attacks need to be retired.”
Past and current LiveJournal users are advised to change their passwords to a new, long and unique one and to do the same on any other account where they used the same one.