In mid-May 2020, the information on data leakage of 33.7 million users of the Live Journal (aka LJ, aka LiveJournal) appeared in the Telegram channel of the head of DeviceLock company Ashot Oganesyan. It was reported that the detected text file contains 33,726,800 lines, among which you can find user IDs, email addresses, links to user profiles, as well as passwords in plain text format (with 795,402 lines with a blank password).
Subsequent analysis of passwords showed that 69% of mail / password combinations were unique, that is, they had never been found in other leaks before.
Now edition Zdnet published material shedding light on the details of what happened.
Journalists write that LJ, apparently, suffered from the hacking back in 2014, and rumors about this have circulated for many years on the network. For example, they talked about compromise in October 2018, when LJ users massively reported that they received old, but unique passwords from LiveJournal as part of a blackmail sextortion campaign.
I've received this extortion letter, with an email address I used unique to LiveJournal, and an ancient password.
– Aaron Wigley (@wigsofoz) October 19, 2018
Although the 2014 hack was not officially confirmed, in recent months the DreamWidth blogging platform, created on the basis of the LiveJournal code base, has also been attacked. In a series of posts and tweets, DreamWidth developers talked about the massive credential stuffing attacks they have been seeing lately.
Let me remind you that this term refers to situations when usernames and passwords are stolen from some sites and then used against others. That is, the attackers have a ready-made database of credentials (purchased on the darknet, collected independently, and so on) and try to use this data to log in to any sites and services under the guise of their victims. Unfortunately, users often use the same usernames and passwords for different services without changing them for years, which makes such attacks very effective.
LJ hasn't made a formal disclosure or announcement, but we at @dreamwidth have been seeing credential stuffing attacks (we have a lot of overlap with LJ) increase greatly lately. I'm emailing you with what we've found!
– Denise "rahaeli" Paolucci (@rahaeli) May 26, 2020
In DreamWidth claimthat hackers used old combinations of usernames and passwords from LiveJournal to hack DreamWidth accounts, and posted spam messages on the site.
However, the Rambler company, which owns LiveJournal, still refused to acknowledge the fact of compromise, even after DreamWidth administrators contacted it.
Now the fact of leakage of user data from LJ confirmed authoritative leak aggregator Have I Been Pwned (HIBP). The administration of the service received a copy of the LiveJournal user database and indexed it on its website.
According to HIBP, the dump contains data from 26 372 781 LiveJournal users: usernames, email addresses and passwords in clear text. Let me remind you that this is consistent with the information of Ashot Hovhannisyan, who calculated that the dump contains about 22.5 million unique mail / password combinations.
The existence of a dump was confirmed by analysts of the information security company KELA, who found many references to the stolen database and its copies in different places of the hacker underground.
So, first KELA and ZDNet discovered several ads posted by data brokers. In these ads, hackers said they wanted to sell or buy the LiveJournal database. That is, the criminals were well aware of the data stolen from LJ and actively exchanged them.
Judging by these announcements, after LJ was compromised in 2014, hackers sold the stolen data privately, handing over the databases from hand to hand among spammer groups and botnet operators. Since this data was exchanged again and again, information eventually leaked to the public.
The first mention that the LiveJournal database became public, dated July 2019, which was then announced by the now defunct WeLeakInfo service selling stolen data.
New Data Breach Alert
Info: Username, Email, Password (Plaintext)
See if your information was leaked for free at https://t.co/Il5zj4Bl4h
– We Leak Info (@weleakinfo) July 13, 2019
Over time, this dump became available even wider. For example, recently LiveJournal databases were sold on darknet for the price of only $ 35. The ad, which is shown in the illustration below, refers to 33 million records, but this is only the total volume of the dump before removing the takes.
As a result, the LiveJournal database was published on a well-known hacker forum, from where it spread almost everywhere instantly, and now the dump is offered for free on Telegram channels and uploaded to file hosting services.
But of course, not only DreamWidth users are at risk. People who use LJ logins and passwords on other sites are also at risk of hacking due to credential stuffing attacks. Users who changed their LJ password after 2014 are likely to be safe, but experts still advise changing the passwords from any other accounts where the same credentials could be reused.
Interestingly, ZDNet managed to get a comment from Rambler representatives yesterday. The fact is that two weeks ago, the company stated that the information about the data leak "is not true – this is one of the clickbait news, the task of which is to attract interest in a third party in this matter."
Now the representatives of the Rambler Group holding continue to deny that hackers have gained access to their systems, but confirm the existence of a dump and say that the database contains information that hackers have been collecting for many years from various sources: malware-infected systems (data stolen from browsers) and brute force -attack (hackers simply selected passwords from LiveJournal).
“We constantly monitor and strive to ensure that our users feel safe and as secure as possible. We have analyzed the data that has appeared and we can report that this data could be compiled using different sources and basically falsified.
We encountered brute-force attacks in 2011-2012. Since then, we have implemented a suspicious activity detection system to track and block suspicious logins, and also improved password storage mechanisms. We have developed all the necessary protocols for cases of unauthorized use of accounts.
We regularly warn our users about the need to update passwords. We deactivate passwords that have not been updated for a long time. Users experiencing problems accessing their accounts can always send a request to the support service to get help, ”said Rambler Group representatives.