Livejournal compromised in more ways than one?

      8 Comments on Livejournal compromised in more ways than one?

TL;DR: If you have or had a Livejournal account, treat the login details as compromised.

Which social network becomes popular with which bunch of people is more a matter of chance than anything else. Being a 'great' social network helps, but if another site is 'good enough' and has user base large enough, it doesn't matter. Until enough of them move elsewhere, that community will continue to use where they are.

One example is the way that Bebo – treated as something just for teenagers in the UK – ended up being the site for gay and bisexual men in Ireland to meet up, more popular for that than sites like Gaydar. Bebo didn't plan for that to happen, but until most of them moved to Grindr, it didn't matter: that's where they were.

Another example is that before Facebook existed, lots of people in the bi communities used Livejournal.com ('LJ') as their social network. I do mean lots: when someone ran a session at BiCon 2002 for people with LJ accounts, way more than half the attendees turned up to it! (Fortunately, the organisers suspected that would happen and put that session in a very big room…)

A variety of things meant that the number of bi people using LJ declined. Trying to find someone who still did use it was a task on the BiCon 2016 treasure hunt,* for example.

The rise of evilFB is one obvious reason for that, despite its problems, but the final straw for many people was when the site was sold to Russian owners in 2007. (LJ was, and still is, very popular there.) And after moving all the servers that power the site there, LiveJournal changed its terms of service to conform to Russian law… including the homophobic crap bits.

When the move happened, there were several people saying that you could assume that Russian intelligence had full access to the database, and it looks like they're not the only ones.

On the 25th September, bots started trying to email me on an address that had an LJ account. I don't know what the content of the emails were – the server blocked them early on in the process – but today, they found a bot that didn't get blocked.

The 'attempt at blackmail' email that it sent contains the Livejournal password for that email address.

That LJ account was deleted in September last year, and confirmed finally really deleted** twelve days before the emails started, but was the correct password for that account.

Given the password's length and the way I don't appear to have used the email address anywhere else – it doesn't come up in a Google search for it, for example, and there are no non-LJ emails to it – I can't think of any other source than the Livejournal site itself.

Fortunately, I've been using site-unique passwords since Hotmail was new and calling itself HoTMaiL, but because of how I generated those, it's password change time for lots of places… Fortunately (again), I've been using a decent password manager for a while too…

"Obviously", you should not reuse passwords from one account with another, especially on a different website.

But just in case you did, and you had a Livejournal account, change the password for wherever you reused it. Now.

If you did like LJ back in the day, do consider Dreamwidth. You can't post pictures of cats as easily as on FB, but its privacy is better than FB has ever managed, it's paid for via (optional) subscriptions rather than selling your info / advertising, and not least as it's based on the same code, you can easily import your old LJ to it.

* Organised by the same person who ran that session back in 2002!

** LJ's current owners don't actually delete things for a year, just in case you change your mind.

8 thoughts on “Livejournal compromised in more ways than one?

  1. Siderea

    Hi there, I was just pointed at this, because I just posted about getting a roboextortion that pointed to a compromise of one of three systems: LJ, DW, and Google.

    You do seem to have a smoking gun. FYI, the password in the roboextortion I got was one I stopped using on LJ on Dec 29, 2016. However, it was only during the spans Oct 2003 to April 9 2007 and Aug 5 2011 to Jan 25 2014 that the corresponding email address was in use with that account. I suspect that the breach was between Aug 5 2011 and Jan 25 2014, or possibly during the earlier span.

    Reply
  2. Ian

    Yes, I suspect that it happened after the Russian firm SUP took over LJ in 2007 and probably after they moved all the development to Russia. All the servers moved there in, gosh, December 2016. But even if you deleted the account then, it was still on their servers for at least a year because that's how long their 'cooling off' period is. (They probably still have the details, who knows?)

    Looking at my mail server logs, the addresses for more than one LJ account started getting attempts to email them 'from' themselves on the 25th and it was just that the bots sending to this one address finally managed to get past the spambot tests a week later that I know about this.

    But even without seeing the others, it's absolutely LJ details being used: email addresses for accounts on other domains have not been getting these.

    The affected email addresses are not in HaveIBeenPwned's database and the password isn't in their 156 million long list of passwords.

    I don't know how LJ stored the passwords, but the MD5, SHA1 and SHA256 hashes of it aren't in CrackStation's fifteen billion long list of hashes.

    This isn't a series of lucky guess. This is inside information, either from someone at LJ sniffing passwords when you login or some serious breach of security from outside. Given that the Russian state has not always appreciated what LJ's large Russian user base has been saying about it, it could be either.

    Reply
  3. Ian

    Doing a search for the Bitcoin address in the email reveals that..

    a) Plenty of other people got similar emails yesterday – it's possible those behind this decided to pay to use better spambots after a week of not getting anywhere.

    b) It looks like about $7,000 of Bitcoin has been paid into that address since yesterday.

    c) It doesn't look like they used the account details to actually log into everyone's LJ account to see if there was anything worth stealing / using for blackmail. Or if they did, they didn't include me, but went after – say – ones with Russian email addresses.

    Reply
  4. Ganesh Sittampalam

    I received one of the emails today, the data must have come from LJ as it was both a unique email address and a unique password (which I have now changed!).

    Reply
    1. Ian

      Unless you have a really good reason to stay using LJ, join dreamwidth.org instead! It's really easy to import your old LJ and you can also automatically cross-post anything on your DW to your LJ.

      Reply
  5. Michael Dayah

    I've also been suspecting a LiveJournal password leak as a password I used there was sent to me in bitcoin extortion emails. Here are the addresses requesting bitcoin which knew the LiveJournal password. I don't believe I used that password anywhere else, and it's not in WeLeakInfo or listed as compromised by HaveIBeenPwned.

    1PNpAXTo6jh4V9dhXRvimNYqPYjvZEnQiu
    1GXazHVQUdJEtpe62UFozFibPa8ToDoUn3
    1Bt4psBJmjfVTcW6eYiJZ6HEbpFgKkBSX4
    1BncH5WxBSYJ6mmcJC9bCRxQ6Z1evvtRxk
    1PuYAe7BLxNE6F6zE2PeVthfXCeYH88PmQ

    The first e-mail came Oct 2, 2018. I've tried to notify Troy Hunt of HIBP but I guess the leak is still private.

    Reply
    1. Ian

      If you look at Troy's Twitter account, you'll see he's mentioned it.. Before it gets into the Have I Been Pwned database, he needs a copy of the affected addresses, and while it's out there – I got another attempted blackmail email today – it's presumably not freely available.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.