[BreachExchange] Hackers Sell Data from 26 Million LiveJournal Users on Dark Web

[Destry Winant]

https://threatpost.com/hackers-sell-data-livejournal-dark-web/156063/

Passwords and other credentials have been listed on Have I Been Pwned
as attack rumors circulate.

A database containing credentials from more than 26 million
LiveJournal accounts has been leaked online and is being sold on the
Dark Web and hacker forums.

The data contained in the files appears to be from a 2014 incident in
which 33 million accounts were hacked, according to a published
report. Though rumors of that breach have been in circulation for a
couple of years – and there is some debate over when it actually
occurred – the incident was never officially confirmed by LiveJournal,
sources said.

Hackers, however, seem to have been busy using and selling data from
the breach to mount attacks, ultimately sharing it with Troy Hunt from
Have I Been Pwned. The data-breach notification service added a
listing about the LiveJournal leak on Tuesday, citing mid-2019 as the
time news of the breach surfaced.

The listing categorizes the breach as having occurred in January 2017,
compromising 26,372,781 user accounts; the hackers stole email
addresses, passwords and user names for members of the blogging
service. A source who requested that the info be attributed to
nano at databases[dot]pw turned the info over to Hunt, according to the
listing.

“An archive of the data was subsequently shared on a popular hacking
forum in May 2020 and redistributed broadly,” according to the
listing.

Still, other evidence points to the breach happening sooner, according
to another report. A now-defunct data-leak tracking service, We Leak
Info, tweeted in July 2019 about a 2014 leak of 33 million LiveJournal
accounts.

No matter the timeline, it does seem that LiveJournal was compromised
and user information has been in the hands of bad actors for some
time, who already have acted on that information with various types of
attacks, ranging from the credential stuffing to email-based
extortion, according to various sources.

The Have I Been Pawned listing cites “multiple reports of credential
abuse” against a company called Dreamwidth, a spinoff of LiveJournal
based on its original code base with a significant number of crossover
users.

While Dreamwidth never confirmed the attacks, a Twitter user called
“definitely not a huge award-winning fanfic author” who claims to be a
co-founder of the site tweeted in response to Hunt on Tuesday that the
site has definitely seen an uptick in credential-stuffing attacks.

The tweet seems to be backed up by a blog post from Dreamwidth
co-founder and former LiveJournal staffer Mark Smith from April, which
informs users of an update to the site’s authentication mechanism from
outdated and insecure LiveJournal protocols to more secure web
infrastructure.

“We are making some changes to how we do authentication (how you log
in) that will unfortunately break a number of older clients that you
might be using to talk to Dreamwidth,” he wrote, “This is very
unfortunate, but we think that the tradeoffs in improved security are
very much worth it.”

The post stops short, however, at acknowledging that any attacks were
occurring based on data leaked from a LiveJournal breach.

“We do not believe, and have no evidence of, our database ever being
leaked or accessed other than by the three staff members who maintain
Dreamwidth’s infrastructure,” Smith wrote. “We are making these
changes not because of some extrinsic motivation but because we
believe that they’re the right thing to do.”

Meanwhile, there is earlier evidence from a couple of years ago that
shows threat attackers using LiveJournal data for other scams.

A Twitter user who responded to a tweet by Hunt in 2018 – when rumors
were circulating about a potential unconfirmed LiveJournal breach–said
that hackers tried to extort money from him based on acquiring data
from the breach. Freelance software engineer Alexander Mikhailian said
his LiveJournal password was leaked and he received an extortion
letter “asking to transfer $800 [in] bitcoins or else.”