PSA: LiveJournal data breach

[liv]

It's been fairly obvious for a while, but there's now convincing evidence that LiveJournal had a major data breach in 2014 (though LJ is still not admitting to it). Not just passwords, but email addresses as well. So you need to assume that bad guys have the ability to find any secret alt journals that share email addresses.

Also, they have access to any other sites that repeat the email address / password combination you used for your LJ(s) any time up to 2014. Which for many people includes DW and this is probably the reason why there has been such a spate of spammers taking over abandoned LJ import journals here.

If you really have to comment to tell me how you never reuse passwords, I suppose I can't stop you, but I don't think that kind of infosec smugness really helps here. Well done, you are l33t. For the rest of us mere mortals, this might be worth knowing. And perhaps some of your friends are not as amazingly careful with their internet security as you are; don't assume bad actors can't figure out your secret anony blogs from your social graph, or read your locked entries via a breached account that has access.

Thanks to sorcyress for the heads-up.

Comments

[sfred]

Thank you.

[highlyeccentric]

Oh DUH I'm slow, I've been racking my brains trying to figure out who the 'other social media service' is.

[vatine]

Bleh, that's not good on multiple dimensions. The data breach, clearly, is not good. The owning-up to the data breach is also not good. It might actually be worse than the data breach happening in the first place.

And, as always, keeping separate passwords for separate things is a good thing. Use a password safe. Or write the passwords down somewhere safe. A post-it under your keyboard does not constitute "safe", unless your keyboard's physical security is sufficient that you would be happy leaving all your credit cards there, with all your IDs.

[siderea]

o_O

[monanotlisa]

Thanks, Liv. I completely agree that this is worth noting. :/ I have phased out my passwords, and I have a separate fandom and real life account setup, but obviously identity as such is easily gleaned through locked and filtered entries.

[lilacsigil]

to tell me how you never reuse passwords

In this case, even if you never reuse passwords, people could still link your separate anonymous blogs via a shared email address! And I know there's people who never reuse an email address either, but I don't think there's so many of those!

[siderea]

In this case, even if you never reuse passwords, people could still link your separate anonymous blogs via a shared email address!

Yes, and there's an additional threat, even for people with but a single journal, which I've seen nowhere mentioned: if your journal was pseudonymous, but your email was tied to your professional name – or, worse, includes your wallet name, e.g. "johnsmith@gmail.com" – the mapping of email address to journal name could out the real owner of the journal, and even betray other personal info like institutional affiliation, e.g. "johnsmith@employer.com" or "johnsmith22@school.edu".

Also, and this is a very exotic threat but one courts in the US have ruled on, since a password can be anything, it, itself, can contain confidential (or incriminating!) evidence, e.g. "IHateMyB0$$" or "Kill4llCops", which one might prefer not be associated with either one's account name or one's email address and its associated identities.

ETA: And I am one of those people who don't reuse email address (not at all, but a lot) and hooooboy was this vindicating of going to all that effort. Recommended!

Finally!

[lovingboth]

It's been obvious what the source was since 2018 - how many other people told Denise et al that they were unique username / password combinations that had been sent to them via blackmail emails?

What they should have done is reset the password of everyone who'd imported their LJ just in case they reused the password here.

[siderea]

I'd also just like to observe that the way the password part of this breach happened, in substantial part, is because LJ stored passwords in plaintext, instead of encrypting them. And until very recently – first week of May? – so did DW. (Assuming the push to fix that went live when it was supposed to!)

[siderea]

Oh, and, btw, I changed my email address over at LJ several times. The email of mine that got got in this breach? I stopped using it with LJ on January 25, 2014, so presumably the breach had to have happened before that date; none of my subsequent emails have been discovered, per HaveIBeenPwned. See https://siderea.dreamwidth.org/1453052.html