Disqus reveals details of major data breach

Popular blog commenting tool Disqus has revealed it was breached back in 2012 with hackers able to have 'ran off' with user email addresses, passwords and other information all leaked.

The breach was confirmed late last week by Disqus itself, which was notified by Have I Been Pwned? – a site that tells you if your email address was compromised in any data breach.

Have I Been Pwned? has, according to the announcement, obtained a copy of the site's information and notified Disqus. The headline here is that a snapshot of 17.5 million users was exposed. The snapshot included email addresses, Disqus user names, sign-up dates, and last login dates in plain text.

The information dates back to 2007. The passwords for about a third of the users were also stolen, but those were not in plain text but rather in SHA1 with a salt. Engadget believes it is possible the attackers decrypted the passwords by now.

Disqus says it is still assessing the information, but that there is very little evidence of unauthorised login. Given that email addresses were exposed, users can expect spam email.

“As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation,” the company says.

“Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”

Image Credit: Balefire / Shutterstock