Experts Reaction On 26 Million LiveJournal Credentials Leaked Online

A database containing over 26 million unique LiveJournal user accounts, including plain text passwords, is being shared for free on multiple hacker forums. For some time, rumours have been circulating that LiveJournal was breached in 2014 and account credentials for 33 million users were stolen. Since approximately May 8th, 2020, links to a data dump allegedly containing 33,717,787 unique accounts have been circulating on various hacker forums. The passwords were converted to plain text after initially being stored as MD5 hashes.

Experts Comments

May 28, 2020
Robert Ramsden Board
VP EMEA
Securonix
Yet again we are seeing private consumer information surfacing on hacking forums. This emphasises the importance of password security, both for businesses and individuals. This manifests on two separate, but crucial, levels. Despite LiveJournal’s efforts to encrypt personally identifiable information (PII), the MD5 hashed passwords were easily converted to plain text. This means that businesses that use and process any instance of PII should spare no expense when it comes to customer.....Read More
Yet again we are seeing private consumer information surfacing on hacking forums. This emphasises the importance of password security, both for businesses and individuals. This manifests on two separate, but crucial, levels. Despite LiveJournal’s efforts to encrypt personally identifiable information (PII), the MD5 hashed passwords were easily converted to plain text. This means that businesses that use and process any instance of PII should spare no expense when it comes to customer security. It is much cheaper in the long run to invest in more comprehensive security solutions than it is to recover financially and reputationally from a high profile breach like this. On the other hand, consumers should be sure to use strong passwords, and never reuse login credentials. If you had an account with LiveJournal then you should be sure to change your password immediately, both on this platform and any associated accounts.  Read Less
May 28, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
Even as this database dump is potentially in excess of five years old, this situation further supports the importance of password security hygiene. I would urge all LiveJournal users to change their passwords, not only to their LiveJournal accounts, but all accounts with potentially sensitive or personally identifiable information (PII) on a regular basis. Additionally, I strongly recommend against re-using passwords. While this is a common and convenient practice, re-using passwords across.....Read More
Even as this database dump is potentially in excess of five years old, this situation further supports the importance of password security hygiene. I would urge all LiveJournal users to change their passwords, not only to their LiveJournal accounts, but all accounts with potentially sensitive or personally identifiable information (PII) on a regular basis. Additionally, I strongly recommend against re-using passwords. While this is a common and convenient practice, re-using passwords across various services opens users up to added risk—risk that in this case is avoidable by using unique passwords that are changed regularly.  Read Less
May 28, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
It seems as if lately it's "another day, another data breach." Incidents such as this underscore the need for users to only use secure and unique passwords to access websites and other online services. Never use the same password on multiple accounts. Once the bad guys get their hands on information like this, they immediately begin trying other sites and services to attempt to access accounts. This can be especially bad when a user has used their streaming service login info for their online .....Read More
It seems as if lately it's "another day, another data breach." Incidents such as this underscore the need for users to only use secure and unique passwords to access websites and other online services. Never use the same password on multiple accounts. Once the bad guys get their hands on information like this, they immediately begin trying other sites and services to attempt to access accounts. This can be especially bad when a user has used their streaming service login info for their online banking account. ALWAYS use unique login and password info for each site or service. Use a password manager like 1Password, which not only stores all of your passwords using strong encryption, but can also generate and save passwords for each site or service.  Read Less
May 28, 2020
Anurag Kahol
CTO
Bitglass
It does not take much effort for outsiders to find unsecured databases and access sensitive information. Leaving a database vulnerable can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. Personal data is precious, and it is imperative that the proper controls are in place to secure it. Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such .....Read More
It does not take much effort for outsiders to find unsecured databases and access sensitive information. Leaving a database vulnerable can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. Personal data is precious, and it is imperative that the proper controls are in place to secure it. Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. To prevent incidents, organisations must have full visibility and control over their users’ data (no matter where it is stored or accessed) by leveraging solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.  Read Less
May 28, 2020
Samantha Humphries
Security Strategist
Exabeam
The theft of IDs, passwords and personal details is by far the most common goal for today’s cyber attackers. Vast deposits of valid credentials are gold dust for cybercriminals, as account details are often replicated across multiple platforms and services and can be used for credential stuffing attacks - as we saw recently with the campaign against Zoom. These attacks take advantage of poor password habits, most commonly, using the same password for all accounts. If such a user doesn’t.....Read More
The theft of IDs, passwords and personal details is by far the most common goal for today’s cyber attackers. Vast deposits of valid credentials are gold dust for cybercriminals, as account details are often replicated across multiple platforms and services and can be used for credential stuffing attacks - as we saw recently with the campaign against Zoom. These attacks take advantage of poor password habits, most commonly, using the same password for all accounts. If such a user doesn’t change their passwords, or worse, doesn’t know after a breach like this, many of their other accounts will be vulnerable. There is much to be said for the value of using a password manager to help reduce the risk of impact when a breach occurs. As was the case in this incident with LiveJournal, it can be some years before a leak is discovered - let alone announced - and this gives the attacker, or anyone who has bought the credentials on the dark web, ample opportunity to use them elsewhere. This big risk here is for companies whose employees were affected - if they use the same details for corporate credentials this opens the organisation up to the risk of an attacker accessing the user’s more sensitive work-related accounts. Credentials can be a huge problem for security teams once an attacker is undercover in the network, using valid credentials to look just like a legitimate user.  Read Less
May 29, 2020
Trevor Morgan
Product Manager
comforte AG
Email addresses, usernames and hashed passwords are valuable information if they fall into the wrong hands, so hackers will target any infrastructure holding critical information, even blogging sites like LiveJournal. While there is no sure-fire way to prevent these hackers from accessing sensitive information, there are solutions that protect the data itself. Although LiveJournal took the steps to encrypt the passwords as MD5 hashes, that decision proved ultimately futile because the.....Read More
Email addresses, usernames and hashed passwords are valuable information if they fall into the wrong hands, so hackers will target any infrastructure holding critical information, even blogging sites like LiveJournal. While there is no sure-fire way to prevent these hackers from accessing sensitive information, there are solutions that protect the data itself. Although LiveJournal took the steps to encrypt the passwords as MD5 hashes, that decision proved ultimately futile because the passwords were converted to plain text where they are now accessible for free on hacker forums. Data-centric security such as tokenization however, travels with the data wherever it goes and is not dependent on perimeter defenses that hackers often penetrate or go around to get to the data. Combine this with stronger processes such as tokenizing data immediately on first touch and de-protecting it only when absolutely necessary under controlled conditions, and you have a security posture which can prevent situations like these.  Read Less
May 28, 2020
Chris Clements
VP
Cerberus Sentinel
The LiveJournal is a case study in security failure from start to finish. The breach has been well known since late 2018 and the dataset suggests it began 4 years earlier in 2014. Even worse, LiveJournal apparently didn’t follow even the most basic security best practices such as securely hashing user’s passwords. This put their users at enormous risk of immediate compromise should there ever be a problem that exposed the LiveJournal database. Attackers can use the cleartext passwords to.....Read More
The LiveJournal is a case study in security failure from start to finish. The breach has been well known since late 2018 and the dataset suggests it began 4 years earlier in 2014. Even worse, LiveJournal apparently didn’t follow even the most basic security best practices such as securely hashing user’s passwords. This put their users at enormous risk of immediate compromise should there ever be a problem that exposed the LiveJournal database. Attackers can use the cleartext passwords to log in directly to the compromised user’s account and try the same password on other services as often people will reuse the same password for many or all their accounts. The worst failure however is that LiveJournal is still either unaware or willfully ignorant of the breach and has left its users at risk by failing to notify them or encouraging them to change their passwords. This is completely inexcusable behavior for any organization that is entrusted with data from users. Unless LiveJournal provides a prompt response to this breach and transparent accounting of how it is now conforming to security best practices, I’d encourage any LiveJournal users to abandon the service. They’ve lost any benefit of the doubt now. Due to the time that has passed since the breached data was actively circulated and exploited it is likely anyone with a LiveJournal account that reused their passwords on other services has already been compromised. Even so it’s still a good idea for anyone affected by this breach to change the passwords for any accounts they may have reused their LiveJournal password on and enable multifactor authentication everywhere possible. In addition, they should be on the lookout for fake extortion emails where cybercriminals try to appear to have compromising information about them and attempt to “prove” their claims by showing that they have a password the user chose in the past. These are almost unfailingly fake with the cybercriminal not actually in possession of any sensitive information about the user.  Read Less
May 28, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
It's important that credentials like passwords are stored in a secure manner. This means using an appropriately strong hash as opposed to MD5. The problem with storing passwords insecurely is that criminals will try to use the email and password combinations to target other services in password stuffing attacks. It is why it's important that users not reuse the same password across multiple sites and enable 2FA wherever it is available. Any time a user is notified or becomes aware that their.....Read More
It's important that credentials like passwords are stored in a secure manner. This means using an appropriately strong hash as opposed to MD5. The problem with storing passwords insecurely is that criminals will try to use the email and password combinations to target other services in password stuffing attacks. It is why it's important that users not reuse the same password across multiple sites and enable 2FA wherever it is available. Any time a user is notified or becomes aware that their account details have been compromised, they should change their passwords on other services that use that password and be wary of unsolicited emails which purport to be related to the breach.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.