[public] PSA for Livejournal users (and many on Dreamwidth): You can be deanonymized

[squirrelitude]

Livejournal was hacked in 2014. Someone managed to download a list of all users, and has posted it on the web. (I'm not telling exactly where, for reasons that will become clear.) It contains over 30 million records with email addresses, usernames, and raw passwords.

You know what to do when your password is leaked: You change it to something new, something you haven't used anywhere else, something complicated. Maybe you store it in a password manager so you don't have to remember it. And check to see if you used it anywhere else, especially on Dreamwidth.

But this is worse: Your email address is now linked to the usernames of any accounts you created with that email. Here are some scenarios:

• You created two LJ accounts with public entries, one for everyday stuff and one for your sexploits. Someone who knows the "public" username can see what email it was registered with, search for that email, and find your sex blog.
• You have a well-known but pseudonymous journal. Someone who wants to identify you can now find your email address, from which they can likely find your identity.
• You have a journal that is again pseudonymous, but not necessarily well known, and was registered with your regular email address. Someone who knows your email and is curious can check to see if you had any LJ accounts.
• You used a different email to register your two journals, but the same password. Now someone can determine that those accounts were likely registered by the same person, as long as that password is uncommon enough.

And of course all of that remains true for Dreamwidth, even though DW wasn't breached, as long as you used the same username when you moved from LJ to DW.

(Livejournal has not yet acknowledged the breach, but multiple people, myself included, have identified their own LJ-specific passwords, usernames, and email addresses in this dump.)

So, this sucks. I guess people can go and lock down their old journals if needed, if they still have access. But in some cases the damage is not preventable. People entrusted their privacy and identities to Livejournal, and inevitably that trust was broken; once that information is out there, it's out there. I wish I had something to offer people that were better at preserving privacy, but I don't think the right thing exists yet. (I'm working on something, but it's still pretty early. It's a hard problem!)

Technical notes

It looks like Have I Been Pwned doesn't yet have the emails and passwords, but in the meantime if you're technically inclined I have a few extracts of the data that are safe to share. I'm making a list of SHA-1 hashes of unique email addresses available over IPFS under the address QmYaKzshXTD6g2aMwbhWyYcTTkgi5Qugnjx3mT4xw5r5sk. It's about 1 gigabyte. Additionally, I've created a list of SHA-1 hashes of passwords under IPFS address QmX4BLvyrQLJapZXw44gQ8DyDKPZmNQpGKEfSrNkZCegim, again about a gigabyte, and this time with occurrence counts. Here's an example usage showing that the password "qwerty" was used over 27 thousand times:

$ read -p "Enter text to hash: " pw; echo -n "$pw" | sha1sum
Enter text to hash: qwerty
b1b3773a05c0ed0176787a4f1574ff0075f7521e  -

$ grep b1b3773a05c0ed0176787a4f1574ff0075f7521e ~/Downloads/lj-password-sha1-uniq-count.txt 
  27625 b1b3773a05c0ed0176787a4f1574ff0075f7521e

If someone would like to host those as a torrent or create a website for querying the data, that would be cool, but I'm sure HIBP will have it very soon so maybe don't worry about it. :-)

Updates

2020-05-26 22:30: Passwords and emails have now been incorporated into Have I Been Pwned: https://haveibeenpwned.com/PwnedWebsites#LiveJournal. I suppose breach notifications will be rolling out soon.

23:58: Emails are rolling out, but passwords aren't loaded in yet.

2020-05-28 12:30: Firefox is now warning people who visit Livejournal about the breach. There is an update from DW. There is also a very skimpy and vague denial from Livejournal. And (see comments) I think I can narrow the dump date down to May 2012, so the LJ DB would have been compromised before that date.

Comments

[writerkit]

And see, I went and deleted my old LJ not so long ago, which actually means I now have NO IDEA what email addresses were attached to that account-- it was so old I think it predates the existence of my current email, but I'm not sure.

[squirrelitude]

I suppose I could look it up for you! I feel weird gatekeeping access to the data, because 1) it's already public, just moderately difficult to find, 2) it's probably going to get *easier* to find over time anyhow, and 3) any searches I do for someone means I end up looking at possibly sensitive data (which I've been trying to avoid doing), and I don't want to make that a condition of people learning about their exposure.

[wolfden]

I can’t remember when I deleted my LJ. I think it was after 2014. Well crud. I have changed passwords most places. Already I think. Grrrrrrrrrrr

[squirrelitude]

The main risks here are identity collapse and password re-use. If you only ever had the one journal and it's only lightly pseudonymous and/or you locked anything sensitive, the consequences are relatively minimal. If you re-used that password on any other sites (including DW) then changing those passwords is sufficient.

[muccamukk]

In from a link that's going around DW.

Thanks for putting this out there specifically. I'd worked out the password problems were LJ from denise's hints, but didn't know about the e-mail thing.

[lizvogel]

(here via network)

I wonder if that explains why I suddenly started getting spam at the addresses for my LJ accounts?

Thank goodness I use Sneakemail; different email address for every site/account, so all I have to do is a couple of clicks to disable them, and generate new ones. (No help for putting the horse back in the barn, but I do highly recommend Sneakemail for folks who want to avoid this sort of problem in future.)

[squirrelitude]

My understanding is that when the user data was first dumped in 2014, it would have been sold at a good price on some credit cards 'n' passwords market. The buyer would have used the passwords for credential stuffing attacks, and maybe even account takeovers if they found any juicy targets. It would have been sold again at lower prices over time, until eventually it was cheap enough that people running low-return operations like spamming would have used it. And now it's considered largely useless because it has been "used up", so it's just circulating freely.

So yeah, there have been some spam waves recently (including account takeovers used for posting spam!) and scam emails where the scammer sends you your LJ password and claims to have "hacked your email", but those were probably from people who bought the DB later on.

[lizvogel]

Yeah, that fits. It was mainly Canadian vi@gra spam, which I figure is pretty low-rent as spam goes. ;-)

ETA: Fortunately LJ never had my credit card; every time I'd about talked myself into getting a paid account, they did something else stupid. You could almost set your watch by it.

[squirrelitude]

On Sneakemail... good solution, as long as people keep in mind that the disposable email provider needs to be at least as reliable as a regular email provider—if they go down, you might get locked out of your accounts; if they get bought out (or hacked), the new owner (or "owner") has the ability to log into all of your accounts, and access to any sensitive info that has been emailed to you, besides.

My preference is to have my own domain name and configure a catch-all for email, which allows me to make up addresses on the fly. But a lot of services, including GMail, also allow you to use plus-addressing to similar effect.

(Of course, even if I register with different emails, an attacker can still see that I registered with emails on the same *domain*, so if I really wanted to make sure my identities weren't linkable I'd use a different domain or even email provider to register the other account.)

[lizvogel]

Valid point. I recommend Sneakemail because it's been good for me for many years, but of course that guarantees nothing for the future. LJ was good once, too.

[brainwane]

Thank you for the PSA. This may be overstepping and I apologize if so; if you yourself have not yet pinged Troy Hunt of Have I Been Pwned to offer the bits of the data you have, I suggest you consider doing so.

[squirrelitude]

Yep, I have! I guess I forgot to mention that rather important fact. :-)

It looks like he's still doing some research on whether to consider this a validated breach: https://twitter.com/troyhunt/status/1265191348581224449

[brainwane]

Thank you!

[lovingboth]

He was given evidence of it back in October 2018.

[squirrelitude]

I reckon he didn't have the data at that point yet.

[lovingboth]

No, but even without the actual data it was widely known it had happened back then:

https://twitter.com/troyhunt/status/1050391317266620416

The admin here were also told back then.

Given the gap between the date of the data (between 2017 and 2014, depending on how bad you think LJ were at not deleting data for old accounts), my guess is that it was used to target specific Russian accounts until it was sold to people do did mass spamming with it.

[siderea]

Another scenario: if you used an email address that includes your identity for a pseudonymous journal – e.g. johnsmith@gmail.com – just knowing the email for that journal now give your name up as the owner of the journal. Worse, if you used a work or school email, e.g. johnsmith@johnsjob.com or johnsmith@school.edu, this may also betray your institutional affiliation.

For the record, email address of mine that was got in the breach I – coincidentally! – changed on Jan 25, 2014, so that is the last day on which someone could have stolen it from active use on LJ. See https://siderea.dreamwidth.org/1453052.html for discussion. So if we have some reason to believe it happened in 2014, I gather we can narrow it down to the first 25 days of 2014.

[squirrelitude]

Great point on the email, yeah. Earlier I did a quick search on email domain names, and found (IIRC) a few thousand .mil and .gov addresses. Sampling from those, the email addresses were mostly wallet-name@whatever.

That Jan 25 date is interesting, because Denise has seen a claim for June/July 2014.

But I have just now realized a different way to check! The dump doesn't just contain emails, usernames, and passwords. It also appears to contain user IDs, which are sequential numbers, starting with 1 for bradfitz. They are also public information and can be seen on profile pages to verify. cut -d' ' -f1 ~/tmp/lj-breach-2014.txt | sort -rn | head gives me the largest IDs. The newest 3 are all purged accounts, but I checked the profile of the 4th newest and it says "Account Created on 31 May 2012".

In 2018, I think we narrowed the window to roughly "2011 to 2014", but now I'd bet money on May 2012.

[siderea]

I wonder if there's a source for that time range other than me, because that is (more or less) the one I came up with. It's based on the time span I had that address in use on LJ.

In any event, good sleuthing!

[denise]

Having popped back to this post because I was just linking it in a dw-maint comment explaining the whole saga of LJ and the Lying Liars who Lie, please allow me to practice some thread necromancy: if I'm remembering my timing correctly, I had (prior to everything blowing to hell at the end of May 2020) been trying to find any specific data marketplace that was listing anything LJ-related, and came across references to (but never an actual listing for) what I believe is the file that eventually made it to Troy and to us. The people who spoke of it called it "X million LiveJournal accounts, captured June/July 2014".

We sliced and diced the information as much as we could and a few people with very good (or very bad) email retention habits just confused us more. My ultimate conclusion is that LJ was correct about one small detail in their giant ball of lies about the whole situation: it was a concatenation of several other files' data. Unfortunately for LJ, that only shows that their servers were, in fact, compromised much longer than they thought.

(Honestly, even two years later, my money is on datacenter employee running a side hustle. I heard a lot of FSB/Russian government theorizing at the time: the Russian government doesn't need to hack LiveJournal, they already own it.)

[squirrelitude]

Wow, thanks for the followup! I guess it makes sense that the attacker would have had the opportunity to do multiple dumps, and then would have just merged them.

Sadface on the side hustle theory.

[denise]

Yeah, it's one of those things that confused us more the more we dug into it. When we got the actual dump file, it contained something like 32 million records, and about 5 million of those were duplicates of the same userid. The duplicates were the really interesting thing to dig into: they were always the same userid, but many of them had a different email address or password in different records. That's what really convinced me of "multiple dumps, merged badly".

[squirrelitude]

Oh huh. I wonder if we have different dump files, then. The file I have is about the same size (33,726,800 records), but the first field (incremental integers) and third field ([username].livejournal.com/profile) are all unique. However, there are a whole bunch of email addresses that show up under hundreds of accounts.

I also keep laughing at the passwords in the first two lines (belonging to bradfitz and eli in my dump).

[denise]

Huh, we might! Ours deduped down to like 26m records, I think it was? Idk, it's been log enough I've forgotten a bunch of the details.