Disqus Data Breach From 2012 ‘Affects 17.5 Million Users’

Disqus, which makes software for adding comments to news websites, has acknowledged a newly discovered data breach from 2012 affecting more than 17 million users.

The company said it was alerted to the incident by security researcher Troy Hunt late last week and decided to alert users as soon a it had determined the leaked data was genuine.

Ongoing investigation

“Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible,” said chief technology officer Jason Yan in a blog post late on Friday.

The most recent of the leaked information dates from July 2012, Disqus said. The company said it didn’t yet know how the data had been stolen.

Disquis said the information was contained in a database snapshot from 2012 that included details going back to 2007 and contained email addresses and Disqus usernames for about 17.5 million users.

The database also contained passwords hashed and salted with the SHA1 algorithm, which has more recently been discredited as being overly easy to decode. Yan said the company moved to the stronger bcrypt encryption method at the end of 2012, amongst other security upgrades.

Many Disqus user accounts don’t include passwords because users sign in via third-party accounts from Google, Facebook or elsewhere.

Users’ sign-up dates and last login dates were also included in the breach, Disqus said.

Disqus said it wasn’t aware of unauthorised users having logged into Disquis accounts as a result of the incident. The company said it doesn’t believe the data had been made widely available.

“No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely),” Yan wrote. “As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared. Email addresses are in plain text here, so it’s possible that affected users may receive spam or unwanted emails.”

Disqus said the number of users affected is less than 10 percent of its current user base.

A number of other companies, notably LinkedIn, MySpace and Yahoo, have recently discovered and disclosed large data breaches dating back several years.

The broad disclosure of the leaked LinkedIn passwords last year led to hacks targeting those who had reused their passwords elsewhere. Yahoo last week acknowledged its own 2013 hack affected all of its 3 billion accounts, up from the 1 billion it had initially thought were involved.

Hunt, who runs a website called Have I Been Pwned specialising in data breaches, praised Disqus for quickly notifying those affected.

He said 71 percent of the leaked email addresses were already found in his site’s database, indicating those users had been affected by previous breaches.

Do you know all about security in 2017? Try our quiz!