Security Week 23: LiveJournal password leak

On Wednesday, May 27, the Haveibeenpwned service , which tracks user password leaks, has a database of user logins and passwords for the LiveJournal service. The data leak allegedly occurred in 2014.

However, according to Troy Hunt, the founder of the Haveibeenpwned service, he received some evidence of the presence in the database of accounts created later. Judging by a piece of the database published on the Bleeping Computer website , about 30 million users got open access to email addresses, links to profiles and passwords in plain text. Initially, passwords were supposed to be represented as MD5 hashes.

Rumors about the leak of the LiveJournal password database wentback last year. Although representatives of the blog hosting did not report hacking, the authenticity of the data was confirmed, including by the owners of the Dreamwidth service . This platform, based on a similar code base, was often used at one time for copying blogs. On the Dreamwidth side, they confirmed an increase in the number of credential stuffing attacks when many accounts try to crack through passwords from another service. The publication on the Bleeping Computer website describes in sufficient detail how attackers use password leaks.

Another leak is a good reason to look at the situation on the part of the user. One of the digest authors received a notification from the Troy Hunt service. You can also check there (if you trust him) whether there is a specific password in the leak database - the current password for LJ is not found in this way. In the general case, if over the past couple of years you changed the password on LiveJournal or another service that suffered from the leak of the password database, you are almost safe.

Why almost? The fact is that the old password may be suitable for other services if you reused it or if you have long forgotten that you registered on some site. The example with Dreamwidth is indicative: at one time it was fashionable to backup the diary on this service, for free and in a couple of clicks. It’s easy to forget about such a copy, and attackers, it turns out, can gain access to it. Long-abandoned blogs that could be vandalized are in particular danger. Leaking personal information from sub-lock posts is also not a pleasant scenario.

Bleeping Computer mentions other attack examples. In addition to hacking accounts on the affected service, passwords are used for blackmail in spam mailings. Typical scenario: you receive a letter with a message about the alleged hacking of your computer, the password from the database of leaks is given as evidence. The users who use the same password for everything and have never changed it are most at risk: each such incident increases the chances of a total leak of personal data, up to theft of funds from a bank account.

LiveJournal is not the only service whose user information databases have been shared. At different times, in the conditional category of social networks, passwords were stolen from services 500px in 2018, AdultFriendFinder and Badoo in 2016, imgur in 2013, LinkedIn and Last.fm in 2012. A leak in LiveJournal is distinguished by a long shutter speed: after the hack, which occurred in the period from 2014 to 2017, user passwords did not fall into public access until May 2020.

This, of course, does not preclude the resale of information on the black market. User protection largely depends on digital service providers, and here it remains only to wish everyone, if possible, not to store passwords in clear text. But the reality is that users need to take action. Using passwords three years ago anywhere is clearly not a good idea.

What else happened:
An interesting studyKaspersky Lab on an attack on industrial enterprises. The publication deals with the initial stage of such attacks - attempts to penetrate the traditional network infrastructure, not much different from others. The described attack is clearly targeted, phishing emails with malicious attachments (XLS file with macros) and — unexpectedly — steganography are used: the script downloads the image from the public hosting in order to bypass the protection means and decodes the next stage of malware from it.

The latest version of UnC0ver jailbreak for iOS devices works even with devices running iOS 13.5. The authors of the hack tool mention the presence of some zero-day vulnerability.

Radware specialists conducted an analysisBotnet Hoaxcalls. Unlike many other criminal operations of mass hacking of network routers and other devices, it does not use password cracking, but a set of exploits for common vulnerabilities in embedded software. Another botnet uses the legitimate telemetry collection system of Chinese company Baidu to transfer data from infected systems to the command server.

Microsoft's security division warns of a ransomware group known as Ponyfinal. She specializes in corporate goals. The attack scheme has familiar motives: hacking weak passwords, manual control of victims, data theft before encryption. The latter makes it possible to demand a ransom twice - to restore information and so that it is not made public.

An interesting study by Veracode ( news , source in PDF). After analyzing 85 thousand applications, 70% of them found certain bugs previously discovered in open source components. Developers of mobile and desktop mass software use freely distributed code during development, but do not always close known vulnerabilities in their builds.