LiveJournal Leaked 26 Million Records in 2014, and They Are Now Sold on the Dark Web

Even security experts can be wrong sometimes. As some of you may know, for the last few years, they've been arguing that there's no point in changing your password unless you're sure that it has been stolen. The argument is that if cybercriminals take your login data, they will use it immediately, which means that any password expiration policies are extremely unlikely to have an effect on your account's security. There is a fair amount of logic in all this, but a data breach at a blogging platform called LiveJournal shows that it doesn't always work like that.

There are many things we don't know about the LiveJournal breach. We can say, however, that it did happen, and it happened a while ago. Troy Hunt, the Australian security expert responsible for the HaveIBeenPwned data breach notification service, first heard about the attack back in 2018, but it wasn't until earlier this month that a source sent him the database. The data is fairly old now, but Hunt confirmed that it is real, and he loaded it into HaveIBeenPwned, which means that if you've ever used LiveJournal, you can check whether your credentials have been compromised.

The LiveJournal database has been on quite a journey

ZDNet was the first website to cover the breach, and although the report was fairly thorough, there is one crucial detail that remains unclear. According to it, the data was stolen in 2014, but Troy Hunt was apparently told that it dates back to 2017. One thing is for sure – the data has been on quite a ride.

ZDNet's sources said that shortly after the breach, the database was privately traded among cybercriminals. Later, it apparently reached a wider audience, and evidence suggests that it was used in sextortion-like scams.

Last year, We Leak Info, a now-defunct service that sold access to stolen data, added the LiveJournal database to its portfolio and continued to offer it to its customers right up until the moment the domain was seized by the FBI.

Earlier this month, a user on one of the underground marketplaces put out an advert for the database and asked $35 for it, but later, it was shared for free on a hacking forum. Curiously enough, the hackers claim that there are 33 million records in the database, but according to Troy Hunt, the number of affected accounts sits at just over 26 million.

LiveJournal won't admit its mistakes

The records contain usernames, email addresses, and plaintext passwords, which goes to show that at the time of the hack, LiveJournal wasn't storing its users' passwords correctly. The blogging platform either saved them in plaintext or it used a weak hashing/encryption algorithm that has been cracked by the cybercriminals. Unfortunately, this is far from LiveJournal's only mistake.

Although the data breach has been talked about for years, LiveJournal is steadfastly refusing to admit that its systems were compromised. Even now, when downloading the data could be just a couple of clicks away, the platform's owners won't say how the theft happened or when. This sort of behavior is completely inexcusable, and the consequences of it are now visible.

A recent series of posts published by Dreamwidth shows that the number of credential stuffing attacks has increased dramatically over the last few months. Dreamwidth began as a code fork of LiveJournal, and in addition to quite a lot of the source code, it also shares a large portion of the userbase with the compromised service. Yesterday, Dreamwidth's developer said that, according to them, the spike is due to the LiveJournal database that is now floating around freely.

This incident shows that once data is leaked, there's no going back. Even years later, compromised login information can be a powerful weapon.