Update 27 May 2020 @ 13:17 UTC - See bottom
Update 27 May 2020 @ 19:48 UTC - Related post analyzing passwords in use: https://nullsec.us/livejournal-password-analysis/
There's a lot of talk about the LiveJournal breach going on right now. I wasn't too surprised to receive the HIBP email, I have a lot of abandoned accounts out there. This one wasn't in my password manager, so abandoned though it may be, I wanted to add it and get that password changed.
Odd though, when I tried to log in, I couldn't figure out what my username/password is. After a bit of stumbling, I found the lost info page and put in the email address that was in the HIBP alert. I got a very odd message back though:
Error - No username(s) for this e-mail address:
Weird, that explains why I can't log in though. After digging through my email, I found a 10-year-old message from LiveJournal with a username wishing me a happy birthday. Now I have a username, one that I know did exist. When I tried that, I got another unexpected message:
There was an error processing your request:
This journal has been deleted and purged.
On another screen it was
This journal has been deleted
So at some point I had an account. When I deleted it, rather than purging all my account information, LiveJournal simply marked it as deleted. I wonder how much information was still associated with this account? The email still exists, since I received the HIBP notification. The username still exists, since it knows that it's associated with a deleted journal. The two appear to be "decoupled" somehow, since it doesn't know I have a username associated with my email.
According to the breach notification, the only remaining data point I don't know about is the "password". Update at the bottom, the password was retained.
There are several things that I do not believe are being done right, which is no surprise when you consider the plaintext password storage.
- Data is not actually being removed, just marked deleted. I find that this happens more often than I would like, which is why I rarely delete accounts. If I do want something removed, I log in, scramble every bit of data I can, and then request removal.
- The error messages are providing a lot more information than necessary. Typically you would see a generic "unknown username or bad password", which doesn't really tell you if the account exists. LiveJournal is not only telling you the email address was found, but why the login failed after that. If a username is found, it's informing you why the login is still failing. Of course, if they hadn't kept the information to begin with, they wouldn't be able to determin any of this.
I've heard the saying "data is like nuclear waste"
We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back
I've also heard "toxic waste", you want to "minimize it, separate it, and manage it."
None of us would hold onto toxic waste if we didn't have to. Too many organizations want to ingest everything they can, collect all the bits, and hold onto them forever. Unfortunately, this creates a huge stockpile of "toxic waste" that, when inevitably leaked, creates a virtual Superfund site. If you don't need data, delete it.
In mid-2019, news broke of an alleged LiveJournal data breach. This followed multiple reports of credential abuse against Dreamwith beginning in 2018, a fork of LiveJournal with a significant crossover in user base. The breach allegedly dates back to 2017 and contains 26M unique usernames and email addresses (both of which have been confirmed to exist on LiveJournal) alongside plain text passwords. An archive of the data was subsequently shared on a popular hacking forum in May 2020 and redistributed broadly. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
I can confirm that LiveJournal did keep passwords for deleted accounts, and there does not appear to be anything in the breach that indicates if an account was deleted/purged/active. The columns appear to be some kind of user ID number, Email, LiveJournal profile URL, and password. Of course, without being able to log in, I can't change this password.
I'll also confirm that this was actually my account, not just an email address of mine that LJ didn't bother verifying. The password was one of mine and was a very old and (at the time) often reused password. This is especially interesting since last night I had a purchase made at an online retailer using an old account that wasn't in my password manager. The email linked to it was different, but given the age, it likely reused the same password. Coincidence?