Disqus data breach – 2012 incident Exposed details for 17.5 Million users

Disqus data breach – The blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012.

On Friday evening, the worldwide blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012.

In 2012, hackers have stolen details for at least 17.5 million Disqus user accounts.

The popular cyber security expert Troy Hunt, who runs the data breach notification service haveibeenpwned.com, come into the possession of a copy of the stolen data.

Hunt reported the issue to Disqus staff on Friday afternoon.

Disqus has already started notifying users that were listed in the archive reported by Troy Hunt, the exposed records include email addresses, usernames, sign-up dates, and last login dates in plain text. The experts noticed that SHA-1 hashed passwords were only included for about 33% of all records.

Disqus declared that at the end of 2012, it switched the password hashing algorithm from SHA1 to bcrypt.

“Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.” states the breach notification puclished by Disqus.

According to Disqus, the last entry in the dump is from July 2012, this could be the exact moment when the data breach took place.

In response to the incident, the company started contacting users and resetting the passwords related to the users that had passwords included in the breach.

“As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.” continues the Disqus data breach notification.

“We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”

According to Disqus, there is no evidence of unauthorized logins or any other abuses associated with the stolen data.

The company is still investigating the incident.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Disqus data breach , hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.