(no subject)

[denise]

Some of you have noticed an uptick in spam accounts following you this week -- it was because a group of spammers were able to take over some legit accounts and use them for spam. (Our usual antispam efforts have worked pretty well to take care of newly created spam accounts, so spammers are going for the old ones instead.) It does appear that the accounts that were hijacked had used the same password they used on Dreamwidth for other sites, and the spammers found that username/password combination in one of the many black market venues for password resale.

We think we've managed to catch and suspend all the accounts that were being used for spamming -- if yours was one of them, open a support request in the Terms of Service category and we'll help you resecure your account so we can unsuspend it. If you spot one that our automated scan missed, open a support request in Anti-Spam and we'll take a look as soon as we get through the backlog of the already-reported ones. If you spot one and it's already been suspended, you don't have to report it.

This is a great time to remind everyone: please don't reuse passwords for multiple sites! The best and most secure way of handling passwords is to download a password manager, like Dashlane, 1Password, Keeper, LastPass, or Zoho. (Everyone has their own favorite, but those are all reputable and secure.) Let the password manager generate and remember passwords for you. This improves security for everyone!

(Edit:) I also forgot to remind people: you can check to see if your information has appeared in a data breach at Have I Been Pwned? It's a legitimate security research site that keeps a database of which account information is for sale on the black market. They don't tell you which passwords were compromised, just whether your email address appears in a collection of passwords, and they don't have every dataset that's circulating on the black market, but if your email address gets a result there, you should change your password on that site immediately, change the password on any site that you used the same password for (and make it a unique password!), and never use that password again. People who have the black market file try those username/password combinations on every site they can find to see how many accounts they can get into.

Comments

[frith]

Thank you for the heads-up and for swatting those parasitic spammers. ^_^

[alexseanchai]

thank you!

[spectrier]

I did wonder why I had people subscribing to me out of nowhere! Thanks for the explanation and quick resolution of the issue.

[weofodthignen]

Ah, that had gone through my mind when I saw a mystery subscription; sorry to see I was apparently right, and thanks for being on top of things.

[commoncomitatus]

Thanks for all your hard work on this! <3

[stormy]

Thank you for the heads up! I double checked and changed any compromised passwords today.

[juliet316]

Had a couple of suspicious accounts try to subscribe to me as well. I just ignored them.

[denise]

Check on them if you still have the names, and if they're not suspended, open a support request in Anti-Spam -- I have found a few from user reports that slipped through the cracks of our automated scan, since we were trying to get the spammers and minimize the false positives.

[brooksmoses]

Thanks! Looks like the one that subscribed to me (and which I ignored at the time) is now suspended.

[denise]

Awesome, thank you very much for checking for me! We were dithering over where to set the threshhold, since even though I checked everything the query returned as suspicious manually before suspending, we were trying to avoid too many false positives.

[juliet316]

I checked after I made my earlier post, they're already suspended.

[denise]

Awesome, thank you for checking!

[naye]

Brilliant. Thank you so much for dealing with them!

[dewline]

Decided to pre-emptively ban-hammer my three suspects.

Thanks in any case!

[denise]

If you still have the names, check on them, and if they're not suspended, please open a support request in Anti-Spam! We caught a whackload with our automated scan, but I've already identified a few from user reports that slipped through the cracks because they didn't match all our criteria.

[dewline]

Looking for the names now.

[denise]

Don't worry if you can't find it -- chances are pretty good we already got them -- but if we can spot who fell through the cracks, we can refine our next search.

[dewline]

I found the names. You got all three!

[denise]

That's excellent news; thanks very much for checking!

[paserbyp]

I just checked also and you got one, who tried to hack my account! Excellent job! Thank you so much!

[cmcmck]

Thanks!

No problem here but I was hearing from friends who had been hit

[denise]

Yeah, it was less than a thousand accounts total, but they were really prolific in following people.

[lauand]

Thanks for the info!

[navaan]

I just noticed one today. Thank you for the info and all the work you're doing!! ♥

[veritas_poet]

Thanks for keeping on top of this and for informing us. Y'all are the best.

[unfavorableinstigation]

Adding to the thank-yous! =D

And thank you to the swift response to my own report, as well; glad it's being taken care of.

[paserbyp]

How about to add two factors authentication? To much work?

[denise]

It's on our "eventually" list but we're still debating the best way to do it.

[paserbyp]

Got it.

[the_beasts]

in case this feedback helps at all:

two-factor authentication has locked us out of a lot of websites in recent years. we do not have a mobile phone of any kind and haven't for 8 years, and even if we did we wouldn't be willing to give out our phone number to websites because that feels intrusive and stalkerish to us. knowing that we could get unexpected messages from a website in an offline/in-person way at any time would make us uncomfortable and stressed in our everyday life. so if a website demands a phone number specifically and won't let us opt out of two-factor authentication or use some kind of online-only method of authenticating, we are locked out of the website and can't use it at all.

personally, we are disturbed by the gradual creep of websites and online things into individuals' physical in-person life and location-compromising personal data. the grabby-hands act a lot of sites do and the crawling tendrils that seek out your physical self and cling. the whole point of the internet, to us, has always been that it exists in dataspace, not in meatspace, and you can safely do any and all internet-things without them attaching to your physical life. the internet is not permitted to invade our physical personal space.

thankyou very much for listening! and although we personally were unaffected by the spammers, thanks for your hard work and clear communication with users. it always makes us feel more secure whenever we see a post from you guys about this sort of thing - you demonstrate that we can rely on you to fix things and that you'll tell us when things happen. this is what makes us comfortable enough to speak to you and offer feedback. <3

[denise]

Please don't worry, we will never make 2FA mandatory, and there are ways you can implement it without requiring a phone number. (The sites asking you for a phone number are generally doing it for password recovery if you get locked out of your account and can't receive the password reset email; 2FA-via-text-message is only slightly more secure than no 2FA at all, since texts aren't very secure, so most places have moved away to using a phone number for 2FA.) 2FA is, however, a very good option to have for people who are really concerned about the security of their account, people who are "high value" targets like activists and journalists whose accounts may contain information that would be either profitable or compromising, and people who have to use untrusted networks or computers to connect to their accounts. For those people, having the option to enable 2FA can really improve their security. (For instance, even if somebody manages to intercept my password for our payment processo r, they won't be able to steal all our moneyz because I have 2FA turned on.)

[the_beasts]

that is such good news! thankyou so much for your reply! :D

we thought there must be better ways to do it than requiring phone numbers, we just haven't personally seen anywhere do so and call it 2FA. the only times we've heard the phrase so far have been in reference to requiring phone numbers, so that was the only pattern we had for it, but still we thought it must be more than that (hence saying -if- they require a phone number). we're delighted to learn that our suspicions were correct - there are better ways to do it! and we're unsurprised that you folks are on top of that and being awesome. x3

we're also very glad to hear about the ways 2FA can be used to keep at-risk people safe, and otherwise be extremely helpful. that's excellent and we're very much in favour of the option being there for those who need or want it! we see what you mean about the situations like you mentioned, and we agree it's very important to offer people ways to keep themselves and their data secure no matter what their situation. we're very glad you're working on that, thankyou.

it is sooo good to hear from you that you'll never make it mandatory. we thought you likely wouldn't, knowing the dreamwidth staff and style - your approach has always been in favour of options and choice and diversity and accessibility, which has been instrumental in this place becoming our no1 favourite website ever and online home - but we and accessibility in general get shut out and left by the wayside so consistently that it's still extremely reassuring to hear confirmation from you that you're not going to go that way. so even though we know that in general it's not the sort of thing dreamwidth is likely to do, this website means a lot to us and it's a huge relief to hear specific confirmation that we're definitely not going to lose access to it. thankyou very much for your dedication to keeping things accessible and preserving users' free will and choices. <3

you all are wonderful. <3 <3 <3

[lizvogel]

Thank you for not making 2FA mandatory! I'm another one who doesn't thinking giving my cell # to everybody on the planet in any way improves my security. Plus, it's an enormous PITA when I routinely access certain accounts from different devices (home computer vs. traveling computer, etc.). I'd much rather be good about my passwords and take reasonable care to maintain my own security.

2FA-via-text-message is only slightly more secure than no 2FA at all, since texts aren't very secure, so most places have moved away to using a phone number for 2FA.

I wish. My banks both still insist on texts. Which is why I don't have online banking set up with either of them.

[denise]

Yeah, that's part of the problem, there are A LOT of cargo-cult-implemented terrible 2FA systems out there that have really poisoned the well on the concept. As evidenced by how many people panic whenever someone asks us if we'll ever let people enable 2FA on their account in the future!

(I mean, if nothing else, y'all can count on the fact that we don't want your phone number any more than you want us having your phone number; our general philosophy is that there has to be a REALLY GOOD reason for us to ask you for any personal data. And with us you know that's 'really good' from the standpoint of "will it let you do something that people really want to do on the site", not the standpoint of "how can we convince them to give us more data we can sell", because you can ALWAYS count on us being too stubborn (and too lazy) to sell user data.)

[alexseanchai]

one of my perpetual complaints lately is "I wish fandom would move from Tumblr to Dreamwidth, but that isn't going to happen unless Dreamwidth sells its soul", since the main draw of Tumblr is media hosting and that kind of server space costs money and there might not be any ethical means to get Dreamwidth that much money.

thank you for refusing to sell your soul.

[thenewbuzwuzz]

I love you, guys. Thanks for all you do.

[20_00]

Hello. Please do not make two-factor authentication mandatory. In my country it is dangerous to use a phone for authorization. This does not reduce the likelihood of hacking, but rather increases it. Thanks.

upd. I saw below that you are not going to make it mandatory. OK :)

[denise]

Yes, please don't worry! 2FA is very good for some use cases and very bad for others, so since we're not storing high risk data like health records or financial information, there's no reason to ever make it more than an optional piece of security for someone who's a higher value target to enable if they want to.

[20_00]

Thanks!

[weofodthignen]

Thirding the request not to make 2FA mandatory; I see your statement that you won't, but you may not realize just how much of a problem being required to have a smartphone would be to some (the cost, just for starters), and if I lose my laptop or it quits working, I want to be able to continue with my online life! I'm sure there are many people who don't have two devices.

[denise]

No, trust me, I do know! There are ways to do 2FA without a phone or second internet-enabled device (that's part of why we haven't figured out how we want to offer it yet, because there are a lot of bad 2FA implementations out there) but mandatory 2FA makes no sense unless you're storing high risk information like health records, prescribing details, or financial information. The reason for us to add optional 2FA would be for another layer of security for people like journalists, activists, or people with domestic abuse or an ex who keeps trying to get into their account: it offers more protection than a password alone, but in addition to the people who can't use it for whatever reason, it's an added layer of annoyance when logging in even if you knew for certain that you are a higher value target. There's absolutely no reason for us to make it mandatory.

[ex_flameandsong751]

Thank you for the very speedy resolution!

[ppk_ptichkin]

I was about to report a spammer or three. Thank you for cleaning this up!

[turgutmakbak]

This is not as bad (by far!) as at some other places. E.g. I think Ello has a much bigger problem with legit accounts taken over by spammers.

[tanya_salpe]

Thank you so much!

[sheliak]

Good to know what's going on!

[dragoness_e]

I know for a fact that all my old LJ accounts are compromised, with the e-mail/account name/passwords being in cyber-criminal hands. Methinks the Russian entity that owns Livejournal now isn't too fussy about security, or something.

Fortunately, I didn't use those passwords anywhere else. If anyone here migrated from LJ, as I did, make sure you don't use the same passwords as you did on LJ.

[denise]

Let me be scrupulously careful here in how I phrase this: There are files ("dumps") on the black market that claim to be from a LiveJournal breach in 2014, and I've never seen anyone who was listed in the dumps say that their information was incorrect (and have seen many who have said it was). However, LiveJournal has never confirmed the breach or informed their users of the problem, so there's a chance the dumps are fake, or that the account info is from another source that the compiler of the file took and tested against LiveJournal to find people whose passwords were reused. We, as a company, are making no statement and have no opinion on whether LiveJournal had a data breach, and we hope that if they had, they would have notified their users.

That having been said, this is exactly why we take every opportunity we can to remind people that it's a bad idea to reuse passwords across sites! If you've ever used your current Dreamwidth password on any other site (not just LiveJournal), please change it. Password managers are a great way to both generate strong, unique passwords and to store those passwords for you so that you don't lose them.

[seeitbloom]

What about DeadJournal? I did notice some time back that the website started saying it was unsafe every time I went to it and something seemed wrong there as far as security goes, and I got strange pop ups on the site trying to sign in. Yikes.

[denise]

The "not secure" message you get from loading DeadJournal is because the site isn't encrypted -- a while back, all the major browsers started including warnings when you fill out a form and submit any information on a site that's not encrypted. If you're seeing popups when you log in, you'll need to contact them about it, though!

[acciochocolate]

Thanks! I'm seeing negative reviews on IMDB from these trolls and not sure how to report it there.

[rattfan]

I was subscribed to by a "drunkenkitsune" but noticed it was an RU account, also with no entries, so ignored it. Anything else I need to do?

[denise]

If the URL on the profile looks like a spammy porn URL and we didn't catch it yesterday, you can report it to the anti-spam team by opening a support request.

[penguinmayhem]

Thanks for the hard work, guys!

[madfilkentist]

In the past week I got two suspicious-looking followers. That explains it.

LiveJournal refugees should be especially careful not to reuse their passwords from there. A large number of people I know, including myself, got "Caught you on camera watching porn" spam, giving our old LiveJournal passwords as "evidence." In its earlier days, LJ must have been very sloppy about protecting user passwords.

[denise]

I'll repeat what I said above, which is as carefully phrased as I can get it: There are files ("dumps") on the black market that claim to be from a LiveJournal breach in 2014, and I've never seen anyone who was listed in the dumps say that their information was incorrect (and have seen many who have said it was). However, LiveJournal has never confirmed the breach or informed their users of the problem, so there's a chance the dumps are fake, or that the account info is from another source that the compiler of the file took and tested against LiveJournal to find people whose passwords were reused. We, as a company, are making no statement and have no opinion on whether LiveJournal had a data breach, and we hope that if they had, they would have notified their users.

That having been said: this is exactly why we take every opportunity we can to remind people that it's a bad idea to reuse passwords across sites! If you've ever used your current Dreamwidth password on any other site (not just LiveJournal), please change it. Password managers are a great way to both generate strong, unique passwords and to store those passwords for you so that you don't lose them.