![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Livejournal was hacked in 2014. Someone managed to download a list of all users, and has posted it on the web. (I'm not telling exactly where, for reasons that will become clear.) It contains over 30 million records with email addresses, usernames, and raw passwords.
You know what to do when your password is leaked: You change it to something new, something you haven't used anywhere else, something complicated. Maybe you store it in a password manager so you don't have to remember it. And check to see if you used it anywhere else, especially on Dreamwidth.
But this is worse: Your email address is now linked to the usernames of any accounts you created with that email. Here are some scenarios:
- You created two LJ accounts with public entries, one for everyday stuff and one for your sexploits. Someone who knows the "public" username can see what email it was registered with, search for that email, and find your sex blog.
- You have a well-known but pseudonymous journal. Someone who wants to identify you can now find your email address, from which they can likely find your identity.
- You have a journal that is again pseudonymous, but not necessarily well known, and was registered with your regular email address. Someone who knows your email and is curious can check to see if you had any LJ accounts.
- You used a different email to register your two journals, but the same password. Now someone can determine that those accounts were likely registered by the same person, as long as that password is uncommon enough.
And of course all of that remains true for Dreamwidth, even though DW wasn't breached, as long as you used the same username when you moved from LJ to DW.
(Livejournal has not yet acknowledged the breach, but multiple people, myself included, have identified their own LJ-specific passwords, usernames, and email addresses in this dump.)
So, this sucks. I guess people can go and lock down their old journals if needed, if they still have access. But in some cases the damage is not preventable. People entrusted their privacy and identities to Livejournal, and inevitably that trust was broken; once that information is out there, it's out there. I wish I had something to offer people that were better at preserving privacy, but I don't think the right thing exists yet. (I'm working on something, but it's still pretty early. It's a hard problem!)
Technical notes
It looks like Have I Been Pwned doesn't yet have the emails and passwords, but in the meantime if you're technically inclined I have a few extracts of the data that are safe to share. I'm making a list of SHA-1 hashes of unique email addresses available over IPFS under the address QmYaKzshXTD6g2aMwbhWyYcTTkgi5Qugnjx3mT4xw5r5sk. It's about 1 gigabyte. Additionally, I've created a list of SHA-1 hashes of passwords under IPFS address QmX4BLvyrQLJapZXw44gQ8DyDKPZmNQpGKEfSrNkZCegim, again about a gigabyte, and this time with occurrence counts. Here's an example usage showing that the password "qwerty" was used over 27 thousand times:
$ read -p "Enter text to hash: " pw; echo -n "$pw" | sha1sum Enter text to hash: qwerty b1b3773a05c0ed0176787a4f1574ff0075f7521e - $ grep b1b3773a05c0ed0176787a4f1574ff0075f7521e ~/Downloads/lj-password-sha1-uniq-count.txt 27625 b1b3773a05c0ed0176787a4f1574ff0075f7521e
If someone would like to host those as a torrent or create a website for querying the data, that would be cool, but I'm sure HIBP will have it very soon so maybe don't worry about it. :-)
Updates
2020-05-26 22:30: Passwords and emails have now been incorporated into Have I Been Pwned: https://haveibeenpwned.com/PwnedWebsites#LiveJournal. I suppose breach notifications will be rolling out soon.
23:58: Emails are rolling out, but passwords aren't loaded in yet.
2020-05-28 12:30: Firefox is now warning people who visit Livejournal about the breach. There is an update from DW. There is also a very skimpy and vague denial from Livejournal. And (see comments) I think I can narrow the dump date down to May 2012, so the LJ DB would have been compromised before that date.
