Disqus Data Breach Affects 17.5 Million Accounts

Disqus, a comment management and hosting service, has announced it suffered a data breach that affects 17.5 million users. A snapshot of its database from 2012 with information dating back to 2007 containing email addresses, usernames, sign-up dates, and last login dates in plain-text were exposed.

Passwords hashed with the SHA1 protocol and a salt for about one-third of affected users are also included in the snap-shot. Disqus was made aware of the breach and received the exposed data on October 5th by Troy Hunt, an independent security researcher. Today, the service contacted affected users, reset their passwords, and publicly disclosed the incident.

Jason Yan, CTO of Disqus, says the company has no evidence that unauthorized logins are occurring due to compromised credentials. “No plain-text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely),” Yan said.

“As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared. At this time, we do not believe that this data is widely distributed or readily available. We can also confirm that the most recent data that was exposed is from July, 2012.”

Since emails were stored in plain-text, it’s possible affected users may receive unwanted email. Disqus doesn’t believe there is any threat to user accounts as it has made improvements over the years to significantly increase password security. One of those improvements was changing the password hashing algorithm from SHA1 to bcrypt.

If your account is affected by the data breach, you will receive an email from Disqus requesting that you change your password. The company is continuing to investigate the breach and will share new information on its blog when it becomes available.


8 responses to “Disqus Data Breach Affects 17.5 Million Accounts”

  1. Sadly, I just tested an old Disqus account from 2011 and my password still works.

    The company downplayed this in their press release, saying they’ve done forced password changes since, but that does not appear to be the case. Suffice it to say, the Disqus hack is real and folks need to listen — particularly if they are prone to using the same password everywhere…

    That said, I’m waiting to hear the how. Now that should be interesting.

    Thank you for keeping up the good fight Mr. C.

    • and THAT is why I’ve always been dislking Disqus. A centralized solution – meaning easy break-in if anything goes awry. Which apparently happened.

      But of corpse a fancy solution like D. is sooo much better than the decentralited regular comment system of WP .. tsk.

      cu, w0lf.

    • Worked for me as well and I just logged in and closed some very old accounts. Assume I wasn’t one of the 17.55m people affected.

      Guess I need to dedicate a bit of time closing a tonne of accounts that I haven’t used…

    • It says that 17.5M accounts were breached and encrypted passwords were included for about a third, so your account may well not be among those affected and therefore there’d be no reason for the password to be reset. (Also, if you didn’t receive an e-mail from them one’d assume it wasn’t reset either way. Would be quite an issue if they’d reset passwords without notifying.)

  2. I hate this happened, but it’s expected. The downplaying is normal, especially with security and data breaches being so prominent, but if only 1/3 of the accounts being compromised, it’s not surprising that many of us didn’t get the email or auto-reset.

    Despite the issues, I think a system like Disqus works better in a lot of ways than other commenting systems just because of how they’re connected on a network (I get my notifications from tons of convos this way), the same with WP.com or .org logins, too.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.