Pierluigi Paganini October 07, 2017

Disqus data breach – The blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012.

On Friday evening, the worldwide blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012.

In 2012, hackers have stolen details for at least 17.5 million Disqus user accounts.

The popular cyber security expert Troy Hunt, who runs the data breach notification service haveibeenpwned.com, come into the possession of a copy of the stolen data.

New breach: Disqus had a data breach in 2012 which exposed 17.5M accounts. 71% were already in @haveibeenpwned https://t.co/LGaAnj1hUA

— Have I Been Pwned (@haveibeenpwned) October 6, 2017

Hunt reported the issue to Disqus staff on Friday afternoon.

23 hours and 42 minutes from initial private disclosure to @disqus to public notification and impacted accounts proactively protected pic.twitter.com/lctQEjHhiH

— Troy Hunt (@troyhunt) October 6, 2017

Disqus has already started notifying users that were listed in the archive reported by Troy Hunt, the exposed records include email addresses, usernames, sign-up dates, and last login dates in plain text. The experts noticed that SHA-1 hashed passwords were only included for about 33% of all records.

Disqus declared that at the end of 2012, it switched the password hashing algorithm from SHA1 to bcrypt.

“Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.” states the breach notification puclished by Disqus.

In response to the incident, the company started contacting users and resetting the passwords related to the users that had passwords included in the breach.

“As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.” continues the Disqus data breach notification.

“We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”

According to Disqus, there is no evidence of unauthorized logins or any other abuses associated with the stolen data.

The company is still investigating the incident.

Pierluigi Paganini

(Security Affairs – Disqus data breach , hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]