A database containing over 26 million unique LiveJournal user accounts, including plain text passwords, is being shared for free on multiple hacker forums. For some time, rumours have been circulating that LiveJournal was breached in 2014 and account credentials for 33 million users were stolen. Since approximately May 8th, 2020, links to a data dump allegedly containing 33,717,787 unique accounts have been circulating on various hacker forums. The passwords were converted to plain text after initially being stored as MD5 hashes.
Millions of LiveJournal accounts leaked online https://t.co/qavdjNMKNx pic.twitter.com/2uMmSag6S0
— Zblog (@ZblogWebsite) May 27, 2020
Email addresses, usernames and hashed passwords are valuable information if they fall into the wrong hands, so hackers will target any infrastructure holding critical information, even blogging sites like LiveJournal.
While there is no sure-fire way to prevent these hackers from accessing sensitive information, there are solutions that protect the data itself. Although LiveJournal took the steps to encrypt the passwords as MD5 hashes, that decision proved ultimately futile because the passwords were converted to plain text where they are now accessible for free on hacker forums.
Data-centric security such as tokenization however, travels with the data wherever it goes and is not dependent on perimeter defenses that hackers often penetrate or go around to get to the data. Combine this with stronger processes such as tokenizing data immediately on first touch and de-protecting it only when absolutely necessary under controlled conditions, and you have a security posture which can prevent situations like these.
Yet again we are seeing private consumer information surfacing on hacking forums. This emphasises the importance of password security, both for businesses and individuals. This manifests on two separate, but crucial, levels. Despite LiveJournal’s efforts to encrypt personally identifiable information (PII), the MD5 hashed passwords were easily converted to plain text. This means that businesses that use and process any instance of PII should spare no expense when it comes to customer security. It is much cheaper in the long run to invest in more comprehensive security solutions than it is to recover financially and reputationally from a high profile breach like this. On the other hand, consumers should be sure to use strong passwords, and never reuse login credentials. If you had an account with LiveJournal then you should be sure to change your password immediately, both on this platform and any associated accounts.
Even as this database dump is potentially in excess of five years old, this situation further supports the importance of password security hygiene. I would urge all LiveJournal users to change their passwords, not only to their LiveJournal accounts, but all accounts with potentially sensitive or personally identifiable information (PII) on a regular basis. Additionally, I strongly recommend against re-using passwords. While this is a common and convenient practice, re-using passwords across various services opens users up to added risk—risk that in this case is avoidable by using unique passwords that are changed regularly.
It seems as if lately it\’s \”another day, another data breach.\” Incidents such as this underscore the need for users to only use secure and unique passwords to access websites and other online services. Never use the same password on multiple accounts. Once the bad guys get their hands on information like this, they immediately begin trying other sites and services to attempt to access accounts.
This can be especially bad when a user has used their streaming service login info for their online banking account. ALWAYS use unique login and password info for each site or service. Use a password manager like 1Password, which not only stores all of your passwords using strong encryption, but can also generate and save passwords for each site or service.
It does not take much effort for outsiders to find unsecured databases and access sensitive information. Leaving a database vulnerable can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. Personal data is precious, and it is imperative that the proper controls are in place to secure it. Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. To prevent incidents, organisations must have full visibility and control over their users’ data (no matter where it is stored or accessed) by leveraging solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.