[public] PSA for Livejournal users (and many on Dreamwidth): You can be deanonymized

May. 25th, 2020 09:19 pm
squirrelitude: (Default)

Livejournal was hacked in 2014. Someone managed to download a list of all users, and has posted it on the web. (I'm not telling exactly where, for reasons that will become clear.) It contains over 30 million records with email addresses, usernames, and raw passwords.

You know what to do when your password is leaked: You change it to something new, something you haven't used anywhere else, something complicated. Maybe you store it in a password manager so you don't have to remember it. And check to see if you used it anywhere else, especially on Dreamwidth.

But this is worse: Your email address is now linked to the usernames of any accounts you created with that email. Here are some scenarios:

  • You created two LJ accounts with public entries, one for everyday stuff and one for your sexploits. Someone who knows the "public" username can see what email it was registered with, search for that email, and find your sex blog.
  • You have a well-known but pseudonymous journal. Someone who wants to identify you can now find your email address, from which they can likely find your identity.
  • You have a journal that is again pseudonymous, but not necessarily well known, and was registered with your regular email address. Someone who knows your email and is curious can check to see if you had any LJ accounts.
  • You used a different email to register your two journals, but the same password. Now someone can determine that those accounts were likely registered by the same person, as long as that password is uncommon enough.

And of course all of that remains true for Dreamwidth, even though DW wasn't breached, as long as you used the same username when you moved from LJ to DW.

(Livejournal has not yet acknowledged the breach, but multiple people, myself included, have identified their own LJ-specific passwords, usernames, and email addresses in this dump.)

So, this sucks. I guess people can go and lock down their old journals if needed, if they still have access. But in some cases the damage is not preventable. People entrusted their privacy and identities to Livejournal, and inevitably that trust was broken; once that information is out there, it's out there. I wish I had something to offer people that were better at preserving privacy, but I don't think the right thing exists yet. (I'm working on something, but it's still pretty early. It's a hard problem!)

Technical notes

It looks like Have I Been Pwned doesn't yet have the emails and passwords, but in the meantime if you're technically inclined I have a few extracts of the data that are safe to share. I'm making a list of SHA-1 hashes of unique email addresses available over IPFS under the address QmYaKzshXTD6g2aMwbhWyYcTTkgi5Qugnjx3mT4xw5r5sk. It's about 1 gigabyte. Additionally, I've created a list of SHA-1 hashes of passwords under IPFS address QmX4BLvyrQLJapZXw44gQ8DyDKPZmNQpGKEfSrNkZCegim, again about a gigabyte, and this time with occurrence counts. Here's an example usage showing that the password "qwerty" was used over 27 thousand times:

$ read -p "Enter text to hash: " pw; echo -n "$pw" | sha1sum
Enter text to hash: qwerty
b1b3773a05c0ed0176787a4f1574ff0075f7521e  -

$ grep b1b3773a05c0ed0176787a4f1574ff0075f7521e ~/Downloads/lj-password-sha1-uniq-count.txt 
  27625 b1b3773a05c0ed0176787a4f1574ff0075f7521e

If someone would like to host those as a torrent or create a website for querying the data, that would be cool, but I'm sure HIBP will have it very soon so maybe don't worry about it. :-)

Updates

2020-05-26 22:30: Passwords and emails have now been incorporated into Have I Been Pwned: https://haveibeenpwned.com/PwnedWebsites#LiveJournal. I suppose breach notifications will be rolling out soon.

23:58: Emails are rolling out, but passwords aren't loaded in yet.

2020-05-28 12:30: Firefox is now warning people who visit Livejournal about the breach. There is an update from DW. There is also a very skimpy and vague denial from Livejournal. And (see comments) I think I can narrow the dump date down to May 2012, so the LJ DB would have been compromised before that date.

Tags:
  • Add Memory
  • Share This Entry

Change your Livejournal password; their user database has been breached [public]

Oct. 8th, 2018 09:32 pm
squirrelitude: (Default)
Scammers have gained access to a list of Livejournal usernames and passwords. I'm not sure how long ago the breach was, but your best bet is to change your password now. Also, if you used that password anywhere else, change your password there as well and if possible check those accounts for signs of compromise. (Change them all to *different* passwords. Use a password manager such as 1Password or Firefox's built-in password manager, or just memorize them and write the less important ones down in a physical notebook.)

Source: People (including myself) are receiving scam emails with some bullshit claim about having installed malware, giving an email address and password as proof. They're using emails and passwords from compromised sites, such as Last.fm, LinkedIn, and now Livejournal. LJ was not known to be compromised, but it's not at all a surprise to me. Other sources:

- https://bifurious.co.uk/livejournal-compromised-in-more-ways-than-one/
- https://siderea.dreamwidth.org/1453052.html
- https://dw-news.dreamwidth.org/38612.html (doesn't name LJ, but you know it)
- https://www.livejournal.com/support/request/?id=2085067 (has since been locked down, although I archived it first and have since been in touch with that user)

You can sign up for https://haveibeenpwned.com/ to keep abreast of further password database breaches (and other leaks of your personal information) although Troy hasn't yet posted about this one, probably since the leaked DB hasn't yet made its way into his hands.

(There is not yet evidence that anyone has used the passwords to log into LJ and scrape your post and comment history and the posts and comments of your friends, but it could happen. If you have abandoned LJ but have *not* wiped out all your posts and unfriended everyone, please go ahead and change your password anyway to protect your friends.)

Update 2018-10-09: I can confirm that the breach happened on or before 2017-04-27. In that first link, a commenter narrows it down to the 2011–2014 window.

Update 2020-05-08: Spammers started using the dump to take over DW accounts and advertise their sites: https://dw-maintenance.dreamwidth.org/81865.html
Tags:
  • Add Memory
  • Share This Entry

To delete your LJ

Apr. 5th, 2017 09:08 am
squirrelitude: (Default)
If you're looking to delete your old Livejournal posts now that you've moved to Dreamwidth and LJ continues to pile on the suck, I've written an honestly kinda crappy tool that does the job:

https://github.com/timmc/lj-expunge

It's repurposed from ljdump and it walks all your journal entries and sets the subject, body, and various metadata fields to "wiped". If someone would like to improve it (there's a TODOs list at the bottom), patches are welcome.

If you find or write another tool to do this, please feel free to link to it in comments.
Tags:
  • Add Memory
  • Share This Entry

Auth'ing to LJ API?

Apr. 4th, 2017 07:26 pm
squirrelitude: (Default)

Has anyone had success recently in authenticating to LiveJournal's API? In particular I'm trying to use the getevents call with cookie auth, but all I get is this:

LJ_USER="..."
LJ_COOKIE="v1:..."
curl http://www.livejournal.com/interface/flat -H "X-LJ-Auth: cookie" -H "Cookie: ljsession=$LJ_COOKIE" -d "ver=1&mode=getevents&user=$LJ_USER&auth_method=cookie"

errmsg
Invalid password
success
FAIL

(I'm trying to write a script to go back through my LJ posts, and for each one replace the contents with the string "deleted" and then delete the post. I stopped crossposting a month or two back and now it's time to clear my history there as best I can...)

ETA: "clear" auth (plaintext username and password) works. Hashtag YOLO. (It's not like any of this was over HTTPS anyhow so whatever. I'll just change the password later.)

Tags:
  • Add Memory
  • Share This Entry

A plea to LJ users: Cross-post from Dreamwidth, pretty please?

Nov. 26th, 2016 09:52 am
squirrelitude: (Default)

I really, really want to move off of Livejournal. Here's my vision:

  1. My friends make Dreamwidth accounts and post there instead, set to crosspost to LJ.
  2. Eventually everyone's posts are on both sites.
  3. Then we stop using LJ, since everyone is on DW as well.

(Why do I want to stop using LJ? Well, I don't want my private journal posts going over plain HTTP instead of HTTPS, where anyone in the café, ISP, and massive government surveillance apparatus can read them; Livejournal feels like it could die at any time and take the community with it; Livejournal's owners are sketchy and tight-lipped and I don't know who is being given access to my journal.)

So would you consider making a DW account?

  1. Sign up for a free account
  2. Set up crossposting to LJ
  3. Optional: Create access filters that match the names of your LJ access filters (otherwise cross-posts will just be friends-locked)
  4. Post so that people know your new account name!

I'm "timmc" on Dreamwidth. Friend me and let me know who you are!

DW is still rolling out TLS, so the crosspost link is still HTTP -- but for people using the HTTPS Everywhere browser extension, you'll be redirected to HTTPS when you click it.

Tags:
  • Add Memory
  • Share This Entry

Profile

squirrelitude: (Default)
squirrelitude

August 2024

S M T W T F S
    123
45678910
11121314151617
18192021222324
25262728293031

Syndicate

RSS Atom

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Jun. 25th, 2025 06:54 pm
Powered by Dreamwidth Studios