Cyber Incident Victim: LiveJournal
Date:
Jan 2014
Location:
Russia
Summary
A previously compromised user database from a blogging platform was leaked online, exposing approximately 26 million credentials including usernames, email addresses, and plaintext passwords. The stolen data, initially obtained through unauthorized access years earlier, circulated privately among threat actors before being sold on dark web marketplaces and later distributed freely across hacking forums and file-sharing platforms. Despite evidence of the breach and subsequent credential-stuffing attacks affecting related services and other online accounts, the platform's parent company did not formally acknowledge the incident. The leaked credentials fueled ongoing automated login attempts targeting accounts where users had reused their old passwords.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The LiveJournal credential leak incident originated from a security breach in 2014 that remained unacknowledged by the platform's owner, Rambler Group, for years. Evidence of compromised user data surfaced in October 2018 when former LiveJournal users received sextortion emails containing their unique passwords, suggesting unauthorized access to account credentials. Between 2018 and 2020, multiple cybersecurity discussions and DreamWidth's reports of credential stuffing attacks indicated ongoing exploitation of stolen LiveJournal data, though Rambler Group consistently declined to confirm a breach. Confirmation came on May 26, 2020, when Have I Been Pwned (HIBP) announced it had indexed a database containing 26,372,781 LiveJournal user records—including usernames, email addresses, and plaintext passwords—obtained from the 2014 intrusion. Threat intelligence firm KELA verified the database's authenticity and traced its circulation through underground markets, where brokers advertised the data for sale as early as July 2019 through defunct service WeLeakInfo. By 2020, the dataset appeared on a dark web marketplace priced at $35 before being widely distributed for free via hacking forums, Telegram channels, and file-sharing portals. Analysis revealed the data had circulated privately among threat actors since 2014, passing through spam operations and brute-forcing botnets before broader leakage occurred.
The compromised credentials primarily impacted DreamWidth—a LiveJournal-derived platform—which experienced sustained credential stuffing attacks as attackers tested reused login combinations. While DreamWidth implemented technical updates to mitigate these attacks, the risk extended to any online service where users had recycled their LiveJournal credentials. The dataset's plaintext password storage heightened exploitation risks, enabling immediate account takeover attempts across multiple platforms. HIBP provided a verification portal for users to confirm exposure, though individuals who changed passwords post-2014 faced reduced direct risk. No remediation efforts by Rambler Group were documented in available sources, leaving credential rotation and third-party account security as the primary protective measures for affected users. The six-year gap between initial breach and public confirmation allowed prolonged misuse of the data, with historical evidence showing its role in spam campaigns years before broader distribution.