Disqus, which makes software for adding comments to news websites, has acknowledged a newly discovered data breach from 2012 affecting more than 17 million users.
The company said it was alerted to the incident by security researcher Troy Hunt late last week and decided to alert users as soon a it had determined the leaked data was genuine.
“Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible,” said chief technology officer Jason Yan in a blog post late on Friday.
The most recent of the leaked information dates from July 2012, Disqus said. The company said it didn’t yet know how the data had been stolen.
The database also contained passwords hashed and salted with the SHA1 algorithm, which has more recently been discredited as being overly easy to decode. Yan said the company moved to the stronger bcrypt encryption method at the end of 2012, amongst other security upgrades.
Many Disqus user accounts don’t include passwords because users sign in via third-party accounts from Google, Facebook or elsewhere.
Users’ sign-up dates and last login dates were also included in the breach, Disqus said.
Disqus said it wasn’t aware of unauthorised users having logged into Disquis accounts as a result of the incident. The company said it doesn’t believe the data had been made widely available.
“No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely),” Yan wrote. “As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared. Email addresses are in plain text here, so it’s possible that affected users may receive spam or unwanted emails.”
A number of other companies, notably LinkedIn, MySpace and Yahoo, have recently discovered and disclosed large data breaches dating back several years.
The broad disclosure of the leaked LinkedIn passwords last year led to hacks targeting those who had reused their passwords elsewhere. Yahoo last week acknowledged its own 2013 hack affected all of its 3 billion accounts, up from the 1 billion it had initially thought were involved.
Hunt, who runs a website called Have I Been Pwned specialising in data breaches, praised Disqus for quickly notifying those affected.
He said 71 percent of the leaked email addresses were already found in his site’s database, indicating those users had been affected by previous breaches.
Do you know all about security in 2017? Try our quiz!
Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…
Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…
OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…
New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…
US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…
Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…