(no subject)

[denise]

In March, we posted several entries about an increase in people breaking into old accounts and using them for spam purposes.

Today has seen another wave of zombie accounts having their profile edited to link to spam and then subscribing to many people. If you see this happen, you don't need to report it to us: we're identifying them automatically and suspending them until their owners can resecure them. If your account is one of the ones suspended, please change your password and edit the profile to remove the spam link from the Website field, then open a support request in the Terms of Service category and we'll get back to you ASAP to unsuspend your account.

We continue to believe the source of the password information is another social media site that many Dreamwidth users also have accounts on. The site in question has declined to investigate the reports we've made to them or to investigate whether the information we've found is legitimate. We will continue not to publicly name them in top-level posts until we're positive we've done everything we can to protect Dreamwidth users who may also have accounts on the site in question, after which point we'll let you know what we know. We're trying to avoid doing that until we think we've caught the vast majority of vulnerable accounts, however.

If you have not changed your Dreamwidth password since May of 2014, we strongly recommend that you change your password. Again: We have no evidence that our servers were compromised, and we have strong evidence that the source of account breakins is another social media site's as-yet-undisclosed breach. However, today's wave of breakins has included a number of accounts that our available methods of figuring out who may be vulnerable didn't catch, so we may need to look more widely for potentially vulnerable accounts.

To verify any email from us about your Dreamwidth password is actually from us, log into your Dreamwidth account and visit the homepage or the dw_news journal. Every email we send you about your account password from here on out will repeat these instructions.

Comments

[frith]

Oh those spammers! Keep up the good work rooting them out!

[jtthomas]

Hey, seems these are different- one of the ones I got was empty entirely. (like, zero posts, hadn't followed anyone ever before today, unless it was wiped in the process of takeover.)

[peoriapeoriawhereart]

That seems to be what often happens.

[denise]

Most of the ones taken over in this wave are people who haven't been active in DW since they created their accounts, yeah! We have pestered everyone else to change their passwords already. :)

[peoriapeoriawhereart]

Thanks so much for keeping us in the loop, being on top of these things and being All the Bag of Chips.

[havocthecat]

I did wonder if I had been followed by another spammer, but hoped not. Should be interesting. Good luck at rooting them all out!

[ayebydan]

thank you!

[juniperberry]

I had wondered why someone would follow me, after their DW hadn't been touched since 2013...

[muccamukk]

I got followed one that hasn't been suspended yet. Should I report to you? Or just wait for you to catch it?

[denise]

We'll get it! Just debating the most optimal way of finding them with minimal manual effort and didn't want a slew of reports of stuff that we'd catch later to answer after the fact.

[myrmidon]

Hey so I tried using updated lj juggler on my pc to log in and it didnt do it. Fine, it hiccups sometimes. Tried logging in manually with the correct password and was IP blocked after a single attempt to log in.

Is there a reason this might have happened? (I had to use mobile to post this, which I hate doing, and the same password logged in just fine?)

[kareila]

The IP blocks don't last for long, they're just to prevent brute force password guessing attempts.

Have you updated your LJ Juggler to use an API key instead of your password? The steps described here for Semagic should also work for LJ Juggler: https://dw-dev.dreamwidth.org/221358.html

[myrmidon]

I believe they updated it in a way where that wasn't necessary, which was a saving grace for having too many accounts to go in and essentially password change again.

I just didn't know if the hiccup was related since this involved password issues when it'd been working fine for days and had the correct login but continues failing to log me in (it even did it again to reply to this when it had worked correct minutes ago).

Sounds like I may just need to stop using the plug-in. Thanks though!

[denise]

Yeah, I'm sorry we can't troubleshoot third party extensions!

[myrmidon]

Oh, I figured that! I just wasn't sure why it had done it with my manual login too.

[denise]

Extensions like that can get your login cookies into an unstable state that makes the site behave weirdly.

[knewaguy]

Are suspended accounts emailed to notify them? Just curious how best to go through old accounts that I might've forgotten about to ensure they're secured and that nothing's happened to them.

[denise]

We haven't been emailing, no, because a) the vast majority of affected accounts are extremely inactive and b) there's no way for us to do it in an automated fashion and we don't have the capacity to do it manually. If you've changed your DW password since May of 2014, you are extremely unlikely to have been one of the compromised accounts, but you can check by loading the journals in any account. If the account is suspended you'll get an error instead of the journal.

[kore]

So you guys are actually fighting zombies!

[moonhare]

I’m always suspicious when someone new follows my quiet little account. I looked at the profile for last night’s arrival and saw they had been here since 2014 and had never even put up one post or comment. Thanks for removing them!

[madfilkentist]

"Another social media site that many Dreamwidth users also have accounts on." Best euphemism of the day! :)

Seriously, though, I'm glad you're staying ahead of the spammers.

[damerell]

I'll be Frank, I think you may know who they mean, if they're not just trying to get our goat. ;-)

[silkensteel]

Heh heh heh... yeah what I figured too. Just checked, my password is not the one I used over there.

[denise]

The danger is if it's the password you used in June/July 2014.

[calliopes_pen]

Thank you for everything you've done when it comes to this situation!

[runpunkrun]

Thanks for keeping us updated!

[ruuger]

Is this perhaps a social media site with a mascot that is of caprine persuasion? Because I just got a email from them prompting me to change the password for an old account that I had forgotten about.

[azurelunatic]

>_>
<_< I couldn't *possibly* confirm that.

[spodlife]

Mine definitely leaked from there because I started getting those extortion/sextortion emails with it quoted in plain text. Plus also everyone's favourite Tom's music social media space, plus LinkedIn. I can tell because the passwords are all different.

[squirrelitude]

That breach has been narrowed down to the 2011-2014 window, based on various people's password histories. And that nicely matches DW's observation about password age.

[denise]

June/July of 2014, actually, we found someone referencing the actual password dump file being circulated. (Which is why we haven't named them in top level comments yet, because until we're absolutely sure we've got everyone who's vulnerable sorted out we're trying to minimize the motivation for malicious people to go find that dump file and start exploiting it, but apparently they've finally realized that we're going to do their disclosure for them once we do and started taking mitigation steps themselves.)

[squirrelitude]

Glad to hear that you were able to prod Unnamed Site into getting their butt in gear. :-)

I hope you can eventually get ahold of the actual dump file and resolve the matter once and for all. (Last I saw it was still missing from Pwned Passwords, and it would be a great addition there.)

[denise]

Yeah, I briefly considered going looking for it and then realized all the ways in which that would be a very, very bad idea, heh. But I've seen enough references to it that I'm sure PP/HIBP will get it eventually!

[squirrelitude]

Looks like a plausible LJ dump was posted on May 8th to a forum, If it's real, that could explain the fresh wave.

[denise]

Iiiiiiinteresting, I wonder if it's the same file I saw references to the last time this came around or if there's a second one. Please email me (denise@dreamwidth.org) if you have any more info!

[killerweasel]

This has nothing to do with what's in the post, but I crosspost from here to my livejournal and the last couple of days, it hasn't been doing it, even if I have it set to default. I go back to edit the entry here and the boxes are unchecked? Maybe it's just me. :-/

[denise]

LiveJournal blocks us semi-regularly because they think "we" look like spammers because we post to them a lot. It usually takes them a bit to unblock us.

[yourlibrarian]

Are they doing so now? Because someone I follow said yesterday that her last several posts haven't gone through. I checked for failure messages but didn't have any then. This morning one showed up for a post I made on Tuesday. (My previous posts, from Sunday and earlier, have all crossposted normally).

This should not be due to a password change as I edited the crossposter with the new one, and the Sunday post went through. Plus that failure then alerted me right away.

[denise]

Sometimes the blocks are transient, sometimes they take longer, sometimes they only affect certain posting attempts and not others, sometimes they unblock us only to reblock us within seconds. I'm sorry, I know it's frustrating; we're just as frustrated and trying to get them to communicate with us has become nearly impossible.

[yourlibrarian]

I imagine you're much more frustrated! I'll keep trying to crosspost future posts in case the blocks lift, but if they don't go through, they don't go through.

[hrrunka]

Seems to be happening quite a bit at the moment, presumably at least partly because they've forced a password reset on many (possibly all) users. I guess it's a case of "wait a day or three and try again" assuming your password for there in the system here is correct...

[pritkiy_kaban]

Unfortunately, the password reset is not to blame here: while initial batch of error messages cited wrong LJ passsword, later it changed to:

Client error: Your IP address is temporarily banned for exceeding the login failure rate.

I would not be especially surprised if someone in Rambler has just axed a range of IPs without much thinking.

[hrrunka]

I figure:

1. LJ have invalidated a lot of older passwords,
2. so any cross-post attempt by any user from DW using an old password results in a login failure,
3. and LJ's login failure counter adds to the count from the DW IP address.
4. A threshold is passed and the IP address is "temporarily banned".

This could take a while to work its way out...

[jimmydragon]

Ah, they just got my main muse account. Just sent in a ticket and changed all my other passwords again. Thanks for keeping us posted.

[jducoeur]

Hmm. This sounds suspiciously like my late wife's account, which was set up as a placeholder back in 2009. (She passed away about a year later, some time before I permanently transitioned here from LJ.) Nothing critical -- the account doesn't contain anything real -- but it would be a shame if it got grabbed by spammers. The password I have on file for it seems to be wrong, and trying to get a reset token isn't producing anything at our home domain, which leads me to suspect that she set it to point to our old Comcast address, or something else that I don't have access to.

Any recommendations of anything I should do? Is it worth opening a support request so y'all know that at this point it's basically just a memorial account?

[denise]

First off, I'm sorry for your loss! If you open a support request in Account Payments we can make it a memorial account.

[silkensteel]

Thank you for keeping up with this and being proactive!

[spamsink]

UTF8 in the inbox is broken since a few days ago. E.g.

New comment by [personal profile] username on subject in [personal profile] username. (filter to this entry)
Точно!

[denise]

That is very weird as nothing we had in this code push should have gone anywhere near that. I'll open an issue for it, thanks.

[spamsink]

On the https://www.dreamwidth.org/inbox/ page all UTF-8 is garbage. However, if I click on any "filter to this entry", the result is good.

As a test: А ВОХ, А НАТ, А РОСКЕТ (all that is Cyrillics).

[pritkiy_kaban]

Same here. Cyrillic font is garbaged on home page (posts and tags).

I do remember having the same issue a few months ago; can't remember exactly when if it means firing squad, though.

A crossposting tip

[graycardinal]

I haven't seen this step mentioned specifically, but for those who are having trouble with crossposting entries directly from DW to LJ after changing passwords Over There: if you are *not* using a client, make sure you've updated DW's crossposting settings with your new LJ password(s). That may not solve all of the short-term IP blockages, but I'm pretty sure forgetting that step is what caused the one I triggered on one of my own journals.