Disqus, a comment management and hosting service, has announced it suffered a data breach that affects 17.5 million users. A snapshot of its database from 2012 with information dating back to 2007 containing email addresses, usernames, sign-up dates, and last login dates in plain-text were exposed.
Passwords hashed with the SHA1 protocol and a salt for about one-third of affected users are also included in the snap-shot. Disqus was made aware of the breach and received the exposed data on October 5th by Troy Hunt, an independent security researcher. Today, the service contacted affected users, reset their passwords, and publicly disclosed the incident.
Jason Yan, CTO of Disqus, says the company has no evidence that unauthorized logins are occurring due to compromised credentials. “No plain-text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely),” Yan said.
“As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared. At this time, we do not believe that this data is widely distributed or readily available. We can also confirm that the most recent data that was exposed is from July, 2012.”
Since emails were stored in plain-text, it’s possible affected users may receive unwanted email. Disqus doesn’t believe there is any threat to user accounts as it has made improvements over the years to significantly increase password security. One of those improvements was changing the password hashing algorithm from SHA1 to bcrypt.
If your account is affected by the data breach, you will receive an email from Disqus requesting that you change your password. The company is continuing to investigate the breach and will share new information on its blog when it becomes available.
Sadly, I just tested an old Disqus account from 2011 and my password still works.
The company downplayed this in their press release, saying they’ve done forced password changes since, but that does not appear to be the case. Suffice it to say, the Disqus hack is real and folks need to listen — particularly if they are prone to using the same password everywhere…
That said, I’m waiting to hear the how. Now that should be interesting.
Thank you for keeping up the good fight Mr. C.