Disqus, which makes software for adding comments to news websites, has acknowledged a newly discovered data breach from 2012 affecting more than 17 million users.
The company said it was alerted to the incident by security researcher Troy Hunt late last week and decided to alert users as soon a it had determined the leaked data was genuine.
“Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible,” said chief technology officer Jason Yan in a blog post late on Friday.
The most recent of the leaked information dates from July 2012, Disqus said. The company said it didn’t yet know how the data had been stolen.
The database also contained passwords hashed and salted with the SHA1 algorithm, which has more recently been discredited as being overly easy to decode. Yan said the company moved to the stronger bcrypt encryption method at the end of 2012, amongst other security upgrades.
Many Disqus user accounts don’t include passwords because users sign in via third-party accounts from Google, Facebook or elsewhere.
Users’ sign-up dates and last login dates were also included in the breach, Disqus said.
Disqus said it wasn’t aware of unauthorised users having logged into Disquis accounts as a result of the incident. The company said it doesn’t believe the data had been made widely available.
“No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely),” Yan wrote. “As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared. Email addresses are in plain text here, so it’s possible that affected users may receive spam or unwanted emails.”
A number of other companies, notably LinkedIn, MySpace and Yahoo, have recently discovered and disclosed large data breaches dating back several years.
The broad disclosure of the leaked LinkedIn passwords last year led to hacks targeting those who had reused their passwords elsewhere. Yahoo last week acknowledged its own 2013 hack affected all of its 3 billion accounts, up from the 1 billion it had initially thought were involved.
Hunt, who runs a website called Have I Been Pwned specialising in data breaches, praised Disqus for quickly notifying those affected.
He said 71 percent of the leaked email addresses were already found in his site’s database, indicating those users had been affected by previous breaches.
Do you know all about security in 2017? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…