[public] PSA for Livejournal users (and many on Dreamwidth): You can be deanonymized

[squirrelitude]

Livejournal was hacked in 2014. Someone managed to download a list of all users, and has posted it on the web. (I'm not telling exactly where, for reasons that will become clear.) It contains over 30 million records with email addresses, usernames, and raw passwords.

You know what to do when your password is leaked: You change it to something new, something you haven't used anywhere else, something complicated. Maybe you store it in a password manager so you don't have to remember it. And check to see if you used it anywhere else, especially on Dreamwidth.

But this is worse: Your email address is now linked to the usernames of any accounts you created with that email. Here are some scenarios:

• You created two LJ accounts with public entries, one for everyday stuff and one for your sexploits. Someone who knows the "public" username can see what email it was registered with, search for that email, and find your sex blog.
• You have a well-known but pseudonymous journal. Someone who wants to identify you can now find your email address, from which they can likely find your identity.
• You have a journal that is again pseudonymous, but not necessarily well known, and was registered with your regular email address. Someone who knows your email and is curious can check to see if you had any LJ accounts.
• You used a different email to register your two journals, but the same password. Now someone can determine that those accounts were likely registered by the same person, as long as that password is uncommon enough.

And of course all of that remains true for Dreamwidth, even though DW wasn't breached, as long as you used the same username when you moved from LJ to DW.

(Livejournal has not yet acknowledged the breach, but multiple people, myself included, have identified their own LJ-specific passwords, usernames, and email addresses in this dump.)

So, this sucks. I guess people can go and lock down their old journals if needed, if they still have access. But in some cases the damage is not preventable. People entrusted their privacy and identities to Livejournal, and inevitably that trust was broken; once that information is out there, it's out there. I wish I had something to offer people that were better at preserving privacy, but I don't think the right thing exists yet. (I'm working on something, but it's still pretty early. It's a hard problem!)

Technical notes

It looks like Have I Been Pwned doesn't yet have the emails and passwords, but in the meantime if you're technically inclined I have a few extracts of the data that are safe to share. I'm making a list of SHA-1 hashes of unique email addresses available over IPFS under the address QmYaKzshXTD6g2aMwbhWyYcTTkgi5Qugnjx3mT4xw5r5sk. It's about 1 gigabyte. Additionally, I've created a list of SHA-1 hashes of passwords under IPFS address QmX4BLvyrQLJapZXw44gQ8DyDKPZmNQpGKEfSrNkZCegim, again about a gigabyte, and this time with occurrence counts. Here's an example usage showing that the password "qwerty" was used over 27 thousand times:

$ read -p "Enter text to hash: " pw; echo -n "$pw" | sha1sum
Enter text to hash: qwerty
b1b3773a05c0ed0176787a4f1574ff0075f7521e  -

$ grep b1b3773a05c0ed0176787a4f1574ff0075f7521e ~/Downloads/lj-password-sha1-uniq-count.txt 
  27625 b1b3773a05c0ed0176787a4f1574ff0075f7521e

If someone would like to host those as a torrent or create a website for querying the data, that would be cool, but I'm sure HIBP will have it very soon so maybe don't worry about it. :-)

Updates

2020-05-26 22:30: Passwords and emails have now been incorporated into Have I Been Pwned: https://haveibeenpwned.com/PwnedWebsites#LiveJournal. I suppose breach notifications will be rolling out soon.

23:58: Emails are rolling out, but passwords aren't loaded in yet.

2020-05-28 12:30: Firefox is now warning people who visit Livejournal about the breach. There is an update from DW. There is also a very skimpy and vague denial from Livejournal. And (see comments) I think I can narrow the dump date down to May 2012, so the LJ DB would have been compromised before that date.

Comments

[siderea]

Another scenario: if you used an email address that includes your identity for a pseudonymous journal – e.g. johnsmith@gmail.com – just knowing the email for that journal now give your name up as the owner of the journal. Worse, if you used a work or school email, e.g. johnsmith@johnsjob.com or johnsmith@school.edu, this may also betray your institutional affiliation.

For the record, email address of mine that was got in the breach I – coincidentally! – changed on Jan 25, 2014, so that is the last day on which someone could have stolen it from active use on LJ. See https://siderea.dreamwidth.org/1453052.html for discussion. So if we have some reason to believe it happened in 2014, I gather we can narrow it down to the first 25 days of 2014.

[squirrelitude]

Great point on the email, yeah. Earlier I did a quick search on email domain names, and found (IIRC) a few thousand .mil and .gov addresses. Sampling from those, the email addresses were mostly wallet-name@whatever.

That Jan 25 date is interesting, because Denise has seen a claim for June/July 2014.

But I have just now realized a different way to check! The dump doesn't just contain emails, usernames, and passwords. It also appears to contain user IDs, which are sequential numbers, starting with 1 for bradfitz. They are also public information and can be seen on profile pages to verify. cut -d' ' -f1 ~/tmp/lj-breach-2014.txt | sort -rn | head gives me the largest IDs. The newest 3 are all purged accounts, but I checked the profile of the 4th newest and it says "Account Created on 31 May 2012".

In 2018, I think we narrowed the window to roughly "2011 to 2014", but now I'd bet money on May 2012.

[siderea]

I wonder if there's a source for that time range other than me, because that is (more or less) the one I came up with. It's based on the time span I had that address in use on LJ.

In any event, good sleuthing!

[denise]

Having popped back to this post because I was just linking it in a dw-maint comment explaining the whole saga of LJ and the Lying Liars who Lie, please allow me to practice some thread necromancy: if I'm remembering my timing correctly, I had (prior to everything blowing to hell at the end of May 2020) been trying to find any specific data marketplace that was listing anything LJ-related, and came across references to (but never an actual listing for) what I believe is the file that eventually made it to Troy and to us. The people who spoke of it called it "X million LiveJournal accounts, captured June/July 2014".

We sliced and diced the information as much as we could and a few people with very good (or very bad) email retention habits just confused us more. My ultimate conclusion is that LJ was correct about one small detail in their giant ball of lies about the whole situation: it was a concatenation of several other files' data. Unfortunately for LJ, that only shows that their servers were, in fact, compromised much longer than they thought.

(Honestly, even two years later, my money is on datacenter employee running a side hustle. I heard a lot of FSB/Russian government theorizing at the time: the Russian government doesn't need to hack LiveJournal, they already own it.)

[squirrelitude]

Wow, thanks for the followup! I guess it makes sense that the attacker would have had the opportunity to do multiple dumps, and then would have just merged them.

Sadface on the side hustle theory.

[denise]

Yeah, it's one of those things that confused us more the more we dug into it. When we got the actual dump file, it contained something like 32 million records, and about 5 million of those were duplicates of the same userid. The duplicates were the really interesting thing to dig into: they were always the same userid, but many of them had a different email address or password in different records. That's what really convinced me of "multiple dumps, merged badly".

[squirrelitude]

Oh huh. I wonder if we have different dump files, then. The file I have is about the same size (33,726,800 records), but the first field (incremental integers) and third field ([username].livejournal.com/profile) are all unique. However, there are a whole bunch of email addresses that show up under hundreds of accounts.

I also keep laughing at the passwords in the first two lines (belonging to bradfitz and eli in my dump).

[denise]

Huh, we might! Ours deduped down to like 26m records, I think it was? Idk, it's been log enough I've forgotten a bunch of the details.