Over 26 million Livejournal Credentials Discovered on Dark Web Despite Previous "Fake News" Claim

A total of 26,372,781 users’ credentials of Livejournal has been discovered for sale on
the dark web. This has raised a serious concern as well as a confirmation as the
authenticity of the data breach was earlier dismissed by the parent company, the
Rambler. According to a data breach indexing service, Have I Been Pwned (HIBP), a
copy of the database containing millions of Livejournal users' credentials was indexed
on its website, establishing an undeniable confirmation of a data breach that was
launched in 6 years ago.

As claimed by researchers, Livejournal was hacked in 2014, and hackers made away
with sensitive information of users including the usernames, emails, and plaintext
passwords of their accounts. This was unknown by the site until a number of users
started complaining of being targets of sextortion email spam campaigns with their old
unique Livejournal passwords. These appeared online in as early as October 2018.
However, it was treated as nothing other than a rumor. Interestingly, vendors on the
dark web have been actively trading and selling the obtained credentials in the midst of
all the “so-called” rumors.

DreamWidth, another blogging platform that shares the same codebase and users with
Livejournal, and was established from the latter has confirmed in a number of posts that
hackers have attempted to get access to their account using the password combination
and usernames of the Livejournal account. The credential stuffing attacks on
DreamWidth was supposed to be enough evidence of a data breach on its related
website. However, the Rambler Group denied the confirmation by the DreamWidth
administrators concerning any form of a data breach on their website. The reason is
unclear, but this was possibly done to save the company's reputation.

In a bid to investigate the claims, ZDNet partnered a Threat Intelligence firm, Kela, to
substantiate the existence of the database containing credentials of Livejournal users on the
dark web. In their search, they discovered Livejournal users’ data on multiple locations on the
dark web. The combined effort of ZDNET researchers and Kela led to the discovery of multiple
Ads displayed by various vendors, and the willingness of both buyers and sellers to trade the
Livejournal users data. The researchers also discovered that the threat actors might have traded
the stolen database in private immediately after the 2014 data breach. This explains why
affected users received spam emails as the data probably fell in the hands of brute-forcing
botnets and spam groups.

After some period of private trading, the data leaked online. In fact, WeLeakInfo, the defunct
data breach indexing service claimed in July 2019 that they had obtained a copy of the
Livejournal database. The database became commonly available as time went by, and some
marketplaces even offered them as low as $35 as claimed by the researchers. The database was
also shared on a popular hacking forum, file sharing portals, and various telegram channels for
free downloads.

The Rambler has however dismissed the announcement of (HIBP) on obtaining a copy of the
Livejournal database. According to them, hackers have not accessed their system in any way,
claiming that the circulating data were compiled over the years from different sources through
malware infections and brute-force attacks. However, the fact that some users have been
victims of scam campaigns call for the need for users to take the necessary step to halt any
future impact. Users who use the same Livejournal account passwords on multiple platforms
are highly at risk and must find it necessary to change them as soon as possible. Users who
changed their passwords after the alleged breach are safe. DreamWidth has been battling a
serious frequency credential stuffing attacks with the old Livejournal credentials. Hackers
certainly use the same technique on different platforms. However, DreamWidth case is said to
be visible due to the shared history with Livejournal.

Credential stuffing attack is very common and has been used by hackers over the years to obtain
the credentials of users. It is the automated injection of stolen usernames and passwords for
fraudulent gain. Breached credentials are entered on a website until a match is found and
uploaded on the dark web. It is a very effective account protection strategy to have the habit of
frequently changing passwords to prevent third parties from accessing accounts with stolen
passwords.

by /u/Journalist • 5y