Scamperings

Livejournal was hacked in 2014. Someone managed to download a list of all users, and has posted it on the web. (I'm not telling exactly where, for reasons that will become clear.) It contains over 30 million records with email addresses, usernames, and raw passwords.

You know what to do when your password is leaked: You change it to something new, something you haven't used anywhere else, something complicated. Maybe you store it in a password manager so you don't have to remember it. And check to see if you used it anywhere else, especially on Dreamwidth.

But this is worse: Your email address is now linked to the usernames of any accounts you created with that email. Here are some scenarios:

• You created two LJ accounts with public entries, one for everyday stuff and one for your sexploits. Someone who knows the "public" username can see what email it was registered with, search for that email, and find your sex blog.
• You have a well-known but pseudonymous journal. Someone who wants to identify you can now find your email address, from which they can likely find your identity.
• You have a journal that is again pseudonymous, but not necessarily well known, and was registered with your regular email address. Someone who knows your email and is curious can check to see if you had any LJ accounts.
• You used a different email to register your two journals, but the same password. Now someone can determine that those accounts were likely registered by the same person, as long as that password is uncommon enough.

And of course all of that remains true for Dreamwidth, even though DW wasn't breached, as long as you used the same username when you moved from LJ to DW.

(Livejournal has not yet acknowledged the breach, but multiple people, myself included, have identified their own LJ-specific passwords, usernames, and email addresses in this dump.)

So, this sucks. I guess people can go and lock down their old journals if needed, if they still have access. But in some cases the damage is not preventable. People entrusted their privacy and identities to Livejournal, and inevitably that trust was broken; once that information is out there, it's out there. I wish I had something to offer people that were better at preserving privacy, but I don't think the right thing exists yet. (I'm working on something, but it's still pretty early. It's a hard problem!)

Technical notes

It looks like Have I Been Pwned doesn't yet have the emails and passwords, but in the meantime if you're technically inclined I have a few extracts of the data that are safe to share. I'm making a list of SHA-1 hashes of unique email addresses available over IPFS under the address QmYaKzshXTD6g2aMwbhWyYcTTkgi5Qugnjx3mT4xw5r5sk. It's about 1 gigabyte. Additionally, I've created a list of SHA-1 hashes of passwords under IPFS address QmX4BLvyrQLJapZXw44gQ8DyDKPZmNQpGKEfSrNkZCegim, again about a gigabyte, and this time with occurrence counts. Here's an example usage showing that the password "qwerty" was used over 27 thousand times:

$ read -p "Enter text to hash: " pw; echo -n "$pw" | sha1sum
Enter text to hash: qwerty
b1b3773a05c0ed0176787a4f1574ff0075f7521e  -

$ grep b1b3773a05c0ed0176787a4f1574ff0075f7521e ~/Downloads/lj-password-sha1-uniq-count.txt 
  27625 b1b3773a05c0ed0176787a4f1574ff0075f7521e

If someone would like to host those as a torrent or create a website for querying the data, that would be cool, but I'm sure HIBP will have it very soon so maybe don't worry about it. :-)

Updates

2020-05-26 22:30: Passwords and emails have now been incorporated into Have I Been Pwned: https://haveibeenpwned.com/PwnedWebsites#LiveJournal. I suppose breach notifications will be rolling out soon.

23:58: Emails are rolling out, but passwords aren't loaded in yet.

2020-05-28 12:30: Firefox is now warning people who visit Livejournal about the breach. There is an update from DW. There is also a very skimpy and vague denial from Livejournal. And (see comments) I think I can narrow the dump date down to May 2012, so the LJ DB would have been compromised before that date.

Dreamwidth is a little unusual in giving everyone their own subdomain. Off the top of my head, I can only think of three other sites that do this: Its predecessor (Livejournal), Tumblr, and DeviantArt. There are almost certainly others, but it's uncommon.

Even though all communications to the site are done over a secure connection, so the *contents* of the pages are hidden from your ISP, any government interlopers, nosy parents who have installed spyware on the home router, and people snooping on your use of insecure café WiFi... the domain name you're visiting (here, squirrelitude.dreamwidth.org) is still being broadcast in two ways:

• When your computer asks the Domain Name System for the IP address of the site, it sends the domain name out in the clear[1], and the DNS server of course knows what domain you're asking for
  
• When your computer then connects to that IP address, it mentions the domain name in the initial message to the server[2]
  

That means that within a few minutes of poking around on Dreamwidth, anyone who can watch your internet traffic likely knows 1) who your friends are, and 2) by that token, who *you* are. (If you stick to just your Reading Page, you are not leaking your circle's usernames to any watchers, but you are leaking your own.)

I feel like this is maybe something that could and should be changed, since DW is already a centralized service and doesn't *need* separate domain names. (My social media prototype will *need* it, to some extent, which is a sobering thought.) I don't know if I believe this strongly enough to advocate for it,

Another option is to access DW via Tor! I just fired up TAILS and confirmed that I can log in to Dreamwidth just fine. [3] (No captchas or other nonsense.) Unlinking your home IP from the domain you're visiting (and those domains from each other) in the eyes of someone snooping on network traffic is *precisely* what Tor is for. So regardless of whether DW takes action on this, if this is a privacy issue for you, there is a way you can protect yourself. (Also applies to Tumblr, DeviantArt, etc.)


[1] This first part does not apply for people using experimental DNS-over-HTTPS—only the DNS server can read the request

[2] The Server Name Indication TLS header, which is unencrypted in current versions of TLS. TLS 1.3 allows encrypting it, but that's still being rolled out.

[3] Tor is quite safe to use as long as you're visiting HTTPS websites, which is most sites these days. But advice to heed browser warnings about invalid certificates applies doubly so over Tor. If you ignore those, Tor becomes *less* safe than using the internet directly. So don't. :-)