(no subject)

[denise]

Some of you have noticed an uptick in spam accounts following you this week -- it was because a group of spammers were able to take over some legit accounts and use them for spam. (Our usual antispam efforts have worked pretty well to take care of newly created spam accounts, so spammers are going for the old ones instead.) It does appear that the accounts that were hijacked had used the same password they used on Dreamwidth for other sites, and the spammers found that username/password combination in one of the many black market venues for password resale.

We think we've managed to catch and suspend all the accounts that were being used for spamming -- if yours was one of them, open a support request in the Terms of Service category and we'll help you resecure your account so we can unsuspend it. If you spot one that our automated scan missed, open a support request in Anti-Spam and we'll take a look as soon as we get through the backlog of the already-reported ones. If you spot one and it's already been suspended, you don't have to report it.

This is a great time to remind everyone: please don't reuse passwords for multiple sites! The best and most secure way of handling passwords is to download a password manager, like Dashlane, 1Password, Keeper, LastPass, or Zoho. (Everyone has their own favorite, but those are all reputable and secure.) Let the password manager generate and remember passwords for you. This improves security for everyone!

(Edit:) I also forgot to remind people: you can check to see if your information has appeared in a data breach at Have I Been Pwned? It's a legitimate security research site that keeps a database of which account information is for sale on the black market. They don't tell you which passwords were compromised, just whether your email address appears in a collection of passwords, and they don't have every dataset that's circulating on the black market, but if your email address gets a result there, you should change your password on that site immediately, change the password on any site that you used the same password for (and make it a unique password!), and never use that password again. People who have the black market file try those username/password combinations on every site they can find to see how many accounts they can get into.

Comments

[shapinglight]

Thanks for the update.

[susanreads]

Oh, that's what that was! I was subscribed to by an empty account, which has been suspended. It was a new account though.

[denise]

Yeah, we always have a handful of newly-created accounts doing the spam follow thing in any given week (and we usually catch those just fine), it's just that this wave used a bunch of older accounts to do it so the volume was a lot higher.

[fred_mouse]

Useful update. I've checked the two surprising follows from the last week, and both have been suspended, so it is nice to know what was going on there! I contemplated reporting the first, because it had no posts, but the account was ten years old - I figured I was being overly paranoid. The other one I just shrugged at, because it did have posts, just nothing recent.

[musyc]

Had three, already been whacked. Thanks for the update!

[tellshannon815]

That explains the random account that started following me yesterday!

[random_nexus]

EGAD! Thanks for giving us the heads-up on this! Also, thanks for all the awesome you're doing here. :)

[foxmonkey02]

I had a notification for one new follow, and couldn't figure out why someone would follow a journal set completely to private with only three (OLD AS HELL) public posts. Unfortunately, now we know. Good Lord.

[kama_blackbird]

None of my accounts had their address changed and I switched them all to strong, unique passwords less than a year ago. Does it mean I'm in the clear?

[denise]

If you're using passwords that haven't been used anywhere else, you're fine (on DW at least!) The problem was that people's DW passwords were the same as a password they'd used somewhere else.

[wyld_dandelyon]

"if your email address gets a result there, you should change your password on that site immediately" On which site? You mean the e-mail address? Or any and all sites you have used that e-mail address on?

[denise]

If you enter your email address on haveibeenpwned and it tells you that email address has appeared in data breaches, change your password on any site that HIBP tells you about, and on any site you may have used the same password on.

[allanh]

ZOMG thank you SO MUCH for the heads-up! I've just finished changing the passwords for all three of my DW accounts (unique password for each account, of course), and will do the same for my prior social media accounts next.

[shadowfoto]

thanks for heads up, but FOUR (so far) notifications in my mailbox sounds like we've got a bit more issues than the identity theft alone... :)

[denise]

It's an ongoing problem with news posts -- the millions of emails each one triggers makes the jobs time out and lose track of who's been emailed already and who hasn't. We've done a bunch of work to try to fix it, but obviously that hasn't fixed the problem completely! It's why we're really, really reluctant to post to news these days, but this was pretty important.

[mekare]

Thank you so much! I was about to report the three suspicious empty accounts that followed me this week but you already got them all.

[dreizler]

thank you!

[ara_kiss]

It says I'm fine, no breached accounts.

Thank you!

[infiniteviking]

No suspicious accounts have followed me. Win? :'D

If an email is still accessible, does that mean the DW accounts that use it aren't compromised (though it's still wise to use password managers and change passwords)? Or would we have to log in to each account to confirm it's not suspended?

Thanks for being on top of this!

[denise]

You can tell if a journal is suspended just by looking at it! If it says "this account is suspended, contact us for more info", then it is, otherwise it's not. :)

We only suspended the accounts that were actively being used for spamming, in order to keep the intruder from being able to use them. The reason we asked people to check their email addresses is because there's a chance we may need to forcibly reset the passwords of some accounts in the future to prevent more accounts from being hijacked, and if your email address isn't current, you wouldn't be able to receive the password reset email. So, whenever there's a chance that we might need to reset passwords for people or forcibly log them out of the site, we try to remind everyone to check that their email address is current and they can get mail there.

You can avoid all this hassle by changing all your DW passwords, because we're pretty sure at this point that we've identified the window of time that all this comes from, and anything we do to address it will exclude people who have changed their password since then.

[delight]

My DW password is my LJ password from prior to 2014; I had changed my password on LJ to something else back in 2009 because i wanted it to be my DW password instead. Should I be okay or change just in case?

(That password was only used on LJ, and is now only used on DW; it has been only used on DW since '09.)

[denise]

If you've ever used your current password anywhere else, I would definitely change it.

[al_zorra]

I x-post from DW to another place, but the passwords are different, and so are the handles, and titles.

[denise]

You should be at lower risk as long as your passwords are different, but please do consider using a password manager and randomly generating them!

[ai]

Thank you for all that you do. Scamming and spamming are both going to be on the rise during this time so it's great to see some initiative taken in discussing ways to better protect ourselves. I've been bad about using the same passwords on some accounts here (roleplay accounts so no real loss if they are snatched), but I should form a better habit all the same.

I don't think any of my accounts were affected, but I trust if they were that your support team would assist. Cheers, and good luck with sorting through this.

[arethinn]

Mine were all already thwacked by the time I clicked to see who the heck had followed me.

By "Keeper" did you mean KeePass, or something else?

[denise]

Nope, Keeper! I was working off a recommendation list from a security researcher, since I know everybody has their own preferred password manager and I didn't want to only name one or two.

[hooloovoo_42]

Thanks for removing my mystery subscriber so quickly.

[muffyjo]

Your diligence is very much appreciated! Thank you for all you do.

[abstract]

Hello. Just adding in my voice that I appreciate your transparency and quickly resolving the issue. It's honestly a breath of fresh air to see this type of response these days.

Re: Why my account is suspended?

[denise]

Your account isn't suspended! If you're talking about another account, log into that account and open a support request in the Terms of Service category for someone to look into.

[elizabeth_rice]

I don’t know how I missed this announcement, but somehow I did, and it happened in March so how do I know if this happened to me or not? Maybe it’s a dumb question, but I, honest to God, am reading these announcements for the first time. I had absolutely no clue that this was happening, sorry about that.

[denise]

If your account wasn't suspended, it wasn't being used for spam. However, based on what we've been able to discover about the probable vector of how those accounts were compromised, our current advice is to change both your Dreamwidth password and your LiveJournal password if you haven't changed your LiveJournal password since June/July of 2014. (There's a file circulating on the password black market claiming to be LJ passwords from June/July of 2014. We have no way of telling whether it's legitimate and LJ really did have a password compromise, or if the file is fake and LJ didn't. However, of the people who had their DW accounts compromised and answered our questions about their account history, all of those who answered said that either they had used also the password that was compromised on LJ during that time frame or they couldn't remember for certain but it was likely they had. We are therefore proceeding under the assumption that LJ was the source of the compromise.)

[elizabeth_rice]

Ok, so I went to the “have I been pwned” site and I got 1 hit for email address. However! It is at a site where I don’t and have never opened an account. Which, I don’t know how that is possible?? Do I still need to change my passwords??

[denise]

It's always possible someone mistyped your email address instead of theirs or something! It's probably still a good idea to change passwords, though.