Russian-owned blogging service LiveJournal has reportedly suffered a hack affecting 26 million user accounts.
According to the reliable Troy Hunt's Have I Been Pwned? service, the incident occurred at some point in 2017. One year later a forked spinoff of LiveJournal called Dreamwidth began noticing credential-stuffing attacks.
Around 26 million "unique" usernames, email addresses and passwords are said to have been stolen from LiveJournal and ended up circulating cybercrime forums.
A lengthy statement from Dreamwidth itself, published yesterday, alleged that stolen data was being used in a fresh round of seemingly successful account compromise attempts.
Beginning in March of 2020, and again in May of 2020, we saw several instances of Dreamwidth accounts being broken into and used for spam. We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data.
"We have no way to tell for sure whether LiveJournal has actually had a data breach," the forked platform added, advising: "It's best if you treat any password you've ever used on LiveJournal in the past as compromised, since we can't tell for certain when the alleged breach happened."
LiveJournal was big in the mid-2000s as a spiritual successor to Myspace, itself the second generation along from Geocities and the UX design instincts of teens who had recently discovered the <strike> tag and CSS.
The Register was unable to reach LiveJournal for comment.
The site has all but faded out of the popular consciousness, though in 2017 it was sued for alleged copyright infringement after moderators posted photos on a user-created group, and then ran ads next to them. A year before that, infosec researchers found the notorious Angler exploit kit circulating on the site. ®