So about those zombie spam DW accounts…

[starlady]

The site that was hacked in 2014 which has provided spammers the passwords for defunct DW journals was LiveJournal. The hackers obtained not only passwords but also email addresses; if you reused the same password for your DW when you created it from LJ, or if you had multiple LJs linked to the same email address, that information has been circulating and is now freely available. 

Full details at this link. If you can't remember the last time you changed your password, or whether your password is unique, you should change it now. I would also recommend using a password manager to avoid having to remember your passwords and to create more secure ones. I use LastPass because of inertia, though my understanding is that 1Password is slightly better. The UX on the functions is occasionally annoying, but it's well worth sporadic upfront hassle in my experience. In either case, one of the best things you can do for security is to get one and to use it consistently.

ETA: official Dreamwidth post on the breach from denise, with a good comment about password managers attached.

Comments

[sovay]

If you can't remember the last time you changed your password, or whether your password is unique, you should change it now.

I changed my LJ password for reasons about two weeks ago (I do not use the account anymore except to comment on one friend's journal) and DW always had its own password, but I am glad, argh, to have this information.

[edit] Also my 2014 LJ e-mail has since been nuked. That was luck rather than foresight.

[inkstone]

I had a feeling the site in question was LJ. Denise uses certain phrasing when LJ is involved and I recognized it when she first posted about this.

[snickfic]

Should I also be worried about them having my email address, do you think? I obviously can't change that as easily as I can change my password.

[starlady]

Yeah, I figured it was that or tumblr.

[starlady]

I think it depends on how you were/are using that particular email address--if it's something you use on a fair number of sites, odds are good that it's been exposed at one point or another. Have I Been Pwned? is the service to check. If you were using an address that you wanted to keep secret for whatever reason, or not have associated with that LJ info publicly, you might consider getting another email address and using that with whatever accounts/services you wanted to be less widely known. For me, I have a fandom email that I have attached to most of my fannish accounts; I use it as an alias of my main email account--and I've just checked and seen that it's been exposed in two different breaches. It's a good idea to run your email(s) through HIBP, review your third-party app or device authorizations, and change your email address password from time to time. But in principle if you're using unique passwords for everything changing your account email shouldn't be necessary.

[starlady]

Yeah, I deleted my LJ a long time ago, so in principle I should be okay. But it's a good reminder to run my email addresses through HIBP and do some password updating.

[threeringedmoon]

I've been using Lastpass for years, so I am used to its quirks. I was very happy when my partner gave up his own idiosyncratic system and started using it as well.

[snickfic]

Good to know, thank you! I switched to a password manager a while back, so my passwords should be safe now.