LiveJournal credential leak affects 26 million users

Bad news for LiveJournal blogging platform users: hackers are selling their credentials on the underground forums

26 million LiveJournal credentials sold on the underground forums

LiveJournal, one of the larges Russian blogging and social networking platforms in Russia, has suffered a data breach that exposed the credentials of 26 million users. While the cybersecurity incident occurred back in 2017, the sensitive data started being sold and traded only earlier this month on various hacking forums on the dark web.

While there is plenty of evidence to support LiveJournal data leak, the company behind the social network never acknowledged the incident. According to Have I Been Pwned website, which is was released by Microsoft security researcher Troy Hunt and holds a database of the leaked credentials, LiveJournal data leak occurred on January 1, 2017, and resulted in the compromise of 26,372,781 of emails, usernames, and plain text passwords. The leaked passwords were initially hashed as MD5 – a weak algorithm that was easily deciphered by threat actors The circulation of data was only seen in May 2020:^[1]

An archive of the data was subsequently shared on a popular hacking forum in May 2020 and redistributed broadly. The data was provided to HIBP by a source who requested it be attributed to “nano@databases.pw”.

Some sources claim, however, that the breach might have occurred as early as 2014. The number of exposed credentials also varies, as some posts on the underground forums claimed that a total of 33,717,787 LiveJournal unique accounts were leaked.

The leaked credentials were used in the sextorition and other campaigns

Interestingly, the first rumors about the breach occurred as early as October 2018, when several LiveJournal users came forward on Twitter, claiming that their passwords used for the platform were used in a well-known extortion scam scheme. The attackers typically leak credentials in a data breach as such and then send threatening emails to victims, claiming that they have been caught watching porn via the allegedly hacked camera.

The scam revolves around threatening users of the compromising video footage exposure to friends and family, and malicious actors ask to pay the ransom in Bitcoin in order to prevent such a course of events. Since the email involves seemingly secret information such as a password, many users lose their money for good.

Software engineer Alexander Mikhailian was the victim of such a scam back in 2018:^[2]

My #livejournal password was leaked and i received an extortion letter asking to transfer $800 bitcoins or else. I wonder if I am alone, @troyhunt does not have it yet in @haveibeenpwned. Funnily, the password communicated by hackers was converted to lowercase.

There is more evidence that supports the leak, however. According to the company DreamWidth, which worked with the old codebase of the LiveJournal, it has been under active credential stuffing attacks and that the hackers managed to breach DreamWidth users' accounts as well.^[3] The company is rolling out updates to prevent further credential compromise, so relevant users should hurry up and update.

Hackers were circulating data leaked from LiveJournal for many years

Since LiveJournal did not acknowledge the breach, security advocates and investigative journalists began digging deeper into the issue and, along with user reports via various platforms, found plenty of evidence on the underground hacking forums.

According to ZDNet,^[4] the information, which was allegedly leaked back in 2014, was circulating the underground hacking forums for many years. The news outlet claimed that the LiveJournal data was shared between multiple cybercriminal groups and was used for such purposes as brute-force attacks orchestrated by the giant botnets. As evident, sensitive data can also be used in targeted attacks, such as extortion scams.^[5]

Since the data was traded multiple times, it also managed to get leaked online, which explains its late appearance on the dark web. ZDNet claimed that first sightings about LiveJournal information were spotted in July 2019, and some were as cheap as $35 for the whole dump. Ultimately, email addresses, usernames, passwords, and profile URLs of 26 million users can be easily accessed by anyone on the underground forums for free.

Users who previously had created accounts on the blogging platform should immediately change the passwords (as well as passwords on other accounts if they were reused) and treat all the incoming emails of dubious nature as scams.