Anyone who had a LiveJournal account circa 2014 should make certain that they aren’t still using the same password for any other accounts. A record of 26 million LiveJournal usernames and plaintext passwords was just submitted to Have I Been Pwned, but it is not a new breach. This hack occurred nearly six years ago and has been kept quiet as it has been sold from one underground source to another, not becoming visible to the general public until mid-2019. It appears to have been fueling credential stuffing attacks connected to brute-force botnets during this time, with the bulk of the activity directed at LiveJournal’s new social media service Dreamwidth.
The 2014 LiveJournal breach
At some point in 2014, what appears to be a total breach of all of LiveJournal’s accounts occurred. The hackers obtained the usernames, email addresses and passwords of over 26 million site users. Given that was more than double the amount of active users the site had at the time, it is reasonable to assume that the breach exposed the personal data of users going back some years prior to 2014 (LiveJournal first launched in 1999).
The passwords were encrypted with MD5, which is relatively easy and fast to decrypt with brute force methods. The leaked files found in the wild recently already had all of the passwords converted to plain text.
An investigation by ZDNet indicates that the database has likely been circulating among online criminals since the 2014 attack, based on patterns seen in credential stuffing attacks and posts on underground hacking forums. Rumors of it began to appear in 2018, when former LiveJournal users began receiving their own account names and plaintext passwords as part of a string of “sextortion” scams (in which recipients are threatened with the release of compromising pictures or video that do not actually exist).
LiveJournal is still around, but the demographics shifted heavily from US users to Russian users after the company was sold and data was relocated to that country around 2010. Dreamwidth, a forked project using the LiveJournal code base, also became available to the public around that time and has taken over in the West as something of a LiveJournal replacement. Dreamwidth reports being plagued by credential stuffing attacks that make use of these old username and password combinations since the leaked database became available to the public.
The Rambler Media Group, the current owners of LiveJournal, have issued a statement that claims the data is “falsified” and cobbled together from other sources. ZDNet’s investigation found that the database was consistently labeled as LiveJournal data from 2014 as it was sold from one online criminal group to another. Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, had harsh words for LiveJournal’s ownership regarding their handling of the breach: “The worst failure however is that LiveJournal is still either unaware or willfully ignorant of the breach and has left its users at risk by failing to notify them or encouraging them to change their passwords. This is completely inexcusable behavior for any organization that is entrusted with data from users. Unless LiveJournal provides a prompt response to this breach and transparent accounting of how it is now conforming to security best practices, I’d encourage any LiveJournal users to abandon the service. They’ve lost any benefit of the doubt now.”
The data appears to have slowly made its way through the hands of at least several spam groups, as well as specialists in automated credential stuffing attacks who make use of botnets. The LiveJournal credentials appear to have been used quite heavily over the past few years, as the most recent sale was for a mere $35. After this last transaction it appears to have leaked online for free via Telegram channels and dark web file sharing portals.
Any former site users that have changed their LiveJournal passwords since 2015 are not likely to have their account compromised, but this would be a good time to review accounts (especially older accounts from the period) for the shared use of these former usernames and passwords given the amount of credential stuffing attacks that have occurred.
Credential stuffing attacks continue to rise
Credential stuffing attacks are one of the faster-growing segments of cyber crime, continuing to build off of a very active year in 2019. It’s popular in part due to its relative simplicity, and in part due to the fact that new breaches are constantly providing millions of new credentials to try. Criminals look for both sensitive information and for streaming service logins that they can sell at a discount.
These attacks are accessible to even non-technical threat actors as they can be executed using simple software with a very straightforward GUI. Botnets are often used to facilitate credential stuffing attacks; this allows one particular service to quickly be tried multiple times as each attempt comes from a different device in the botnet, bypassing the automated restrictions on sequential login attempts.
But though they are easy to execute, credential stuffing attacks are also fairly easy to curtail. Using a unique password for each account makes it extremely unlikely that one will fall victim. Credential stuffing attacks prey on the “password fatigue” of having to manage dozens of logins; recent studies have found that somewhere between 52% to 83% of internet users are still re-using at least some of their logins in spite of years of frequent warnings to the contrary. One potential solution to this issue is for more platforms to mandate that two-factor authentication (2FA) be used.
Robert Prigge, CEO of Jumio, feels that the password may be outmoded given both the frequency of data breaches and the fact that they can be hidden for years: “Since this information was exposed six years ago, criminals have had plenty of time to conduct account takeover attacks, blackmail and sell user information before the exposure was announced and users were informed, making the impact even more severe. This exposure further proves that passwords should no longer be trusted to keep accounts protected. It’s time organizations adopt stronger forms of authentication to protect their users’ accounts, such as biometric authentication (leveraging a person’s unique human traits to confirm identity), which ensures only the real user can log in to their account.”