Denise has a pretty good write-up of the LiveJournal password breach over at Dreamwidth.

Specifically:

We’ve seen several contradictory claims about when the file was allegedly gathered from LiveJournal: one claim for June/July of 2014, and one claim for sometime in 2017. From what we’ve learned from our users who we’ve spoken to about their accounts, we believe the 2014 claim is more likely to be accurate and that the person(s) who obtained the data in 2014 didn’t use it for several years, but we can’t say for certain. Because of that uncertainty, it’s best if you treat any password you’ve ever used on LiveJournal in the past as compromised, since we can’t tell for certain when the alleged breach happened.

(It’s worth noting Firefox, for example, leans towards the 2017 date. Regardless, assume compromise.)

Also, LiveJournal’s official response—specifically the claim the data are “falsified”—is… interesting. More specifically specifically, what they seem to be claiming is that someone has taken account details from other breaches and attributed them to LiveJournal. Given that I know I, personally, use a LiveJournal-specific email address and I still got a breach noticed from Have I Been Pwned? this is, to put it bluntly, full of shit.

Anyway, tl;dr:

  • change your password at LiveJournal and any other place you may have used the same password
  • don’t reuse passwords
  • activate multifactor where possible, particularly high-value accounts like email addresses and anything financial1
  • use a password manager.2
  1. Also, preference hard tokens over soft tokens/apps over SMS codes. []
  2. I use 1Password, which is nice but kinda expensive; LastPass and KeePass are more affordable options. []