(no subject)

[denise]

In March, we posted several entries about an increase in people breaking into old accounts and using them for spam purposes.

Today has seen another wave of zombie accounts having their profile edited to link to spam and then subscribing to many people. If you see this happen, you don't need to report it to us: we're identifying them automatically and suspending them until their owners can resecure them. If your account is one of the ones suspended, please change your password and edit the profile to remove the spam link from the Website field, then open a support request in the Terms of Service category and we'll get back to you ASAP to unsuspend your account.

We continue to believe the source of the password information is another social media site that many Dreamwidth users also have accounts on. The site in question has declined to investigate the reports we've made to them or to investigate whether the information we've found is legitimate. We will continue not to publicly name them in top-level posts until we're positive we've done everything we can to protect Dreamwidth users who may also have accounts on the site in question, after which point we'll let you know what we know. We're trying to avoid doing that until we think we've caught the vast majority of vulnerable accounts, however.

If you have not changed your Dreamwidth password since May of 2014, we strongly recommend that you change your password. Again: We have no evidence that our servers were compromised, and we have strong evidence that the source of account breakins is another social media site's as-yet-undisclosed breach. However, today's wave of breakins has included a number of accounts that our available methods of figuring out who may be vulnerable didn't catch, so we may need to look more widely for potentially vulnerable accounts.

To verify any email from us about your Dreamwidth password is actually from us, log into your Dreamwidth account and visit the homepage or the dw_news journal. Every email we send you about your account password from here on out will repeat these instructions.

Comments

[frith]

Oh those spammers! Keep up the good work rooting them out!

[jtthomas]

Hey, seems these are different- one of the ones I got was empty entirely. (like, zero posts, hadn't followed anyone ever before today, unless it was wiped in the process of takeover.)

[peoriapeoriawhereart]

That seems to be what often happens.

[denise]

Most of the ones taken over in this wave are people who haven't been active in DW since they created their accounts, yeah! We have pestered everyone else to change their passwords already. :)

[peoriapeoriawhereart]

Thanks so much for keeping us in the loop, being on top of these things and being All the Bag of Chips.

[havocthecat]

I did wonder if I had been followed by another spammer, but hoped not. Should be interesting. Good luck at rooting them all out!

[ayebydan]

thank you!

[juniperberry]

I had wondered why someone would follow me, after their DW hadn't been touched since 2013...

[muccamukk]

I got followed one that hasn't been suspended yet. Should I report to you? Or just wait for you to catch it?

[denise]

We'll get it! Just debating the most optimal way of finding them with minimal manual effort and didn't want a slew of reports of stuff that we'd catch later to answer after the fact.

[myrmidon]

Hey so I tried using updated lj juggler on my pc to log in and it didnt do it. Fine, it hiccups sometimes. Tried logging in manually with the correct password and was IP blocked after a single attempt to log in.

Is there a reason this might have happened? (I had to use mobile to post this, which I hate doing, and the same password logged in just fine?)

[kareila]

The IP blocks don't last for long, they're just to prevent brute force password guessing attempts.

Have you updated your LJ Juggler to use an API key instead of your password? The steps described here for Semagic should also work for LJ Juggler: https://dw-dev.dreamwidth.org/221358.html

[knewaguy]

Are suspended accounts emailed to notify them? Just curious how best to go through old accounts that I might've forgotten about to ensure they're secured and that nothing's happened to them.

[denise]

We haven't been emailing, no, because a) the vast majority of affected accounts are extremely inactive and b) there's no way for us to do it in an automated fashion and we don't have the capacity to do it manually. If you've changed your DW password since May of 2014, you are extremely unlikely to have been one of the compromised accounts, but you can check by loading the journals in any account. If the account is suspended you'll get an error instead of the journal.

[kore]

So you guys are actually fighting zombies!

[moonhare]

I’m always suspicious when someone new follows my quiet little account. I looked at the profile for last night’s arrival and saw they had been here since 2014 and had never even put up one post or comment. Thanks for removing them!

[madfilkentist]

"Another social media site that many Dreamwidth users also have accounts on." Best euphemism of the day! :)

Seriously, though, I'm glad you're staying ahead of the spammers.

[damerell]

I'll be Frank, I think you may know who they mean, if they're not just trying to get our goat. ;-)

[calliopes_pen]

Thank you for everything you've done when it comes to this situation!

[runpunkrun]

Thanks for keeping us updated!

[ruuger]

Is this perhaps a social media site with a mascot that is of caprine persuasion? Because I just got a email from them prompting me to change the password for an old account that I had forgotten about.

[azurelunatic]

>_>
<_< I couldn't *possibly* confirm that.

[killerweasel]

This has nothing to do with what's in the post, but I crosspost from here to my livejournal and the last couple of days, it hasn't been doing it, even if I have it set to default. I go back to edit the entry here and the boxes are unchecked? Maybe it's just me. :-/

[denise]

LiveJournal blocks us semi-regularly because they think "we" look like spammers because we post to them a lot. It usually takes them a bit to unblock us.

[jimmydragon]

Ah, they just got my main muse account. Just sent in a ticket and changed all my other passwords again. Thanks for keeping us posted.

[jducoeur]

Hmm. This sounds suspiciously like my late wife's account, which was set up as a placeholder back in 2009. (She passed away about a year later, some time before I permanently transitioned here from LJ.) Nothing critical -- the account doesn't contain anything real -- but it would be a shame if it got grabbed by spammers. The password I have on file for it seems to be wrong, and trying to get a reset token isn't producing anything at our home domain, which leads me to suspect that she set it to point to our old Comcast address, or something else that I don't have access to.

Any recommendations of anything I should do? Is it worth opening a support request so y'all know that at this point it's basically just a memorial account?

[denise]

First off, I'm sorry for your loss! If you open a support request in Account Payments we can make it a memorial account.

[silkensteel]

Thank you for keeping up with this and being proactive!

[spamsink]

UTF8 in the inbox is broken since a few days ago. E.g.

New comment by [personal profile] username on subject in [personal profile] username. (filter to this entry)
Точно!

[denise]

That is very weird as nothing we had in this code push should have gone anywhere near that. I'll open an issue for it, thanks.

A crossposting tip

[graycardinal]

I haven't seen this step mentioned specifically, but for those who are having trouble with crossposting entries directly from DW to LJ after changing passwords Over There: if you are *not* using a client, make sure you've updated DW's crossposting settings with your new LJ password(s). That may not solve all of the short-term IP blockages, but I'm pretty sure forgetting that step is what caused the one I triggered on one of my own journals.