Millions of Older Credentials Apparently Used in Credential-Stuffing Attacks
The Russian blogging platform LiveJournal confirmed this week that it suffered several brute-force attacks in 2011 and 2012. But it insists that the 26 million usernames and passwords that are now available for sale on darknet forums came from other sources.
Previous published reports pointed to a LiveJournal breach from 2018 that caused the 26 million credentials to leak, but the company has not acknowledged that incident.
“We are keeping track of the information distributed in the internet and want you to feel safe. We analyzed data [that] appeared and can say that the data may be compiled using different sources and mostly falsified,” LiveJournal says in a statement on its website.
Earlier this week, security analyst Troy Hunt, the creator of the HaveIBeenPwned breach-notification service, posted 26 million credentials to his site that he recently obtained, saying they are tied to LiveJournal users. Hunt says the records are being used to launch brute-force attacks against another blogging platform called Dreamwidth, which is based on the LiveJournal code base.
“Dreamwidth has been reporting an uptick in credential stuffing attacks using data from that corpus, so it seems to be useful to some extent,” Hunt tells Information Media Security Group. The usefulness of older credentials is dependent upon password reuse by the account holders, he points out.
In a statement, Dreamwidth reports being hit in March and May with brute force attacks that it believes leveraged LiveJournal data. Dreamwidth is asking its members to immediately change their passwords.
“We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data. Every user we asked whether they had used the compromised password on LiveJournal before confirmed that they had,” Dreamwidth states.
LiveJournal’s Response Over the Years
LiveJournal says that over the last eight years, it has taken several steps to boost security, including disabling older, unused passwords. It says it’s developing two-factor authentication for its members.
Previous security improvements, LiveJournal reports, included:
- Switched to HTTPS for all pages;
- Improved password storage mechanics;
- Implemented a suspicious activity detecting system that tracks and block suspicious logins;
- Monitoring for vulnerabilities both within LiveJournal’s code and third-party software it uses;
- Recommending all users update their passwords at least once every six months and avoid reusing paswords on different services.
Older credentials that are compromised and then exposed to hackers can be used to support cybercrime because so many people use the same login credentials across multiple platforms.
“Even as this database dump is potentially in excess of five years old, this situation further supports the importance of password security hygiene,” says Boris Cipot, senior security engineer with technology firm Synopsys. “I would urge all LiveJournal users to change their passwords, not only to their LiveJournal accounts, but all accounts with potentially sensitive or personally identifiable information on a regular basis.”
Chris Hauk, consumer privacy champion with Pixel Privacy, suggests consumers use a password manager as an extra layer of security that they directly control.