Disqus, a comment management and hosting service, has announced it suffered a data breach that affects 17.5 million users. A snapshot of its database from 2012 with information dating back to 2007 containing email addresses, usernames, sign-up dates, and last login dates in plain-text were exposed.
Passwords hashed with the SHA1 protocol and a salt for about one-third of affected users are also included in the snap-shot. Disqus was made aware of the breach and received the exposed data on October 5th by Troy Hunt, an independent security researcher. Today, the service contacted affected users, reset their passwords, and publicly disclosed the incident.
Jason Yan, CTO of Disqus, says the company has no evidence that unauthorized logins are occurring due to compromised credentials. “No plain-text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely),” Yan said.
“As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared. At this time, we do not believe that this data is widely distributed or readily available. We can also confirm that the most recent data that was exposed is from July, 2012.”
Since emails were stored in plain-text, it’s possible affected users may receive unwanted email. Disqus doesn’t believe there is any threat to user accounts as it has made improvements over the years to significantly increase password security. One of those improvements was changing the password hashing algorithm from SHA1 to bcrypt.
If your account is affected by the data breach, you will receive an email from Disqus requesting that you change your password. The company is continuing to investigate the breach and will share new information on its blog when it becomes available.