How user credentials from LiveJournal wound up on the Dark Web

Hackers are trying to sell 26 million LiveJournal account credentials following a reported data breach that happened years ago.

What is the Dark Web, and why is it so bad if your information is there?

Cybercriminals are hawking another set of leaked login credentials, this time from the Russian blogging site LiveJournal. The email addresses, usernames, and plain text passwords of more than 26 million compromised LiveJournal accounts have found their way onto various Dark Web sites and forums.

Following a data breach that may date back to 2017 or as early as 2014, an archive of the leaked data was shared on a hacking forum this month and broadly distributed, according to data breach notification service Have I Been Pwned.

Several current and former LiveJournal users have also tweeted messages that they've received phishing and extortion emails with email addresses and passwords unique to the blogging service.

livejournal-hack-have-i-been-pwned.jpg

Reports of a LiveJournal data breach have been around for several years. In mid-2019, reports surfaced about an alleged LiveJournal breach that occurred in 2014. On Tuesday, the co-founder of Dreamwidth, a blogging platform forked from the LiveJournal codebase with a crossover in users, tweeted about an increase in credential stuffing attacks.

In March, the Dreamwidth co-founder revealed that spammers had compromised legitimate accounts for spam by using hijacked accounts and username/password combinations for sale on the Dark Web.

SEE: The Dark Web: A guide for business professionals (free PDF) (TechRepublic)

Following the theft of LiveJournal's user database, multiple ads were posted by Dark Web data brokers, according to ZDNet. In these ads, criminals were selling or willing to buy the LiveJournal database. This indicates that hackers were aware of the stolen data, even though the Rambler Group, the company that owns LiveJournal, has never officially acknowledged any specific data breach.

Asked for comment on the Dark Web sales, the Rambler Group shared the following statement with TechRepublic:

We constantly maintain monitoring and strive to ensure that our users feel as safe and protected as possible. We analyzed data appeared and can say that the data may be compiled using different sources and mostly falsified.

We encountered cases of brute-force attacks in 2011-2012. We have implemented suspicious activity system to track and block suspicious logins since then, and have improved our password storage mechanics. We have developed all of the necessary protocols for unauthorized account usage attempts.

We alert our users regularly to the necessity of updating their password. We have disabled passwords that were not updated for extended period of time. Users experiencing troubles accessing their accounts can submit a support request to get assistance.

In light of the leak of LiveJournal user credentials, especially plain text passwords, what did the Rambler Group and LiveJournal do, or fail to do, to protect the security of its users?

"The LiveJournal is a case study in security failure from start to finish," said Chris Clements, VP of solutions architecture for Cerberus Sentinel. "The breach has been well known since late 2018 and the dataset suggests it began 4 years earlier in 2014."

Even worse, Clements said, "LiveJournal apparently didn't follow even the most basic security best practices such as securely hashing users' passwords. This put their users at enormous risk of immediate compromise should there ever be a problem that exposed the LiveJournal database. Attackers can use the cleartext passwords to log in directly to the compromised user's account and try the same password on other services as often people will reuse the same password for many or all their accounts."

Clements also faulted LiveJournal for not being transparent about its security issues.

"The worst failure, however, is that LiveJournal is still either unaware or willfully ignorant of the breach and has left its users at risk by failing to notify them or encouraging them to change their passwords," Clements said.

"This is completely inexcusable behavior for any organization that is entrusted with data from users. Unless LiveJournal provides a prompt response to this breach and transparent accounting of how it is now conforming to security best practices, I'd encourage any LiveJournal users to abandon the service."

One of the first rules of user security is that passwords should be protected through the right security.

"It's important that credentials like passwords are stored in a secure manner," said Javvad Malik, security awareness advocate for KnowBe4. "This means using an appropriately strong hash as opposed to MD5. The problem with storing passwords insecurely is that criminals will try to use the email and password combinations to target other services in password stuffing attacks."

In some cases, the phishing and extortion emails contain old and outdated user passwords. But the risk here is that some people may be using those leaked passwords elsewhere.

"Due to the time that has passed since the breached data was actively circulated and exploited it is likely anyone with a LiveJournal account that reused their passwords on other services has already been compromised," Clements said. "Even so it's still a good idea for anyone affected by this breach to change the passwords for any accounts they may have reused their LiveJournal password on and enable multifactor authentication everywhere possible."

"In addition, they should be on the lookout for fake extortion emails where cybercriminals try to appear to have compromising information about them and attempt to 'prove' their claims by showing that they have a password the user chose in the past. These are almost unfailingly fake with the cybercriminal not actually in possession of any sensitive information about the user."

Also see

Dark web on digital interface and blue network background

Image: Getty Images/iStockphoto