Disqus a popular commenting system and hosting service who provide comment plugin the popular cms around the web announced that he suffered from a data breach that affects 17.5 Million User Accounts in 2012. A snapshot of its database from 2012 with information dating back to 2007 containing email addresses, usernames, sign updates, and last login dates in the plain text was exposed .
It confirmed official on their blog about the security breach of database was leaked . According to a blog post by the company , the breach was reported by Security Specialist Troy Hunt of Have I Been Pwned Fame .
According to Disqus about a third of the compromised account contained the SHA1 Protocol password with the salted and hashed using the Weak SHA-1 Algorithm. Password hashed with SHA 1 salt for about one third of affected user are also included in snapshot .
The snapshot includes email address , usernames , last login and signup dates for 17.5 million users . Disqus was made aware of the breach and received the exposed data on October 5th by Troy Hunt , independent security researcher .
Disqus Investigating the Incident
“While we are still investigating the incident, we believe that it is best to share what we know now,” Disqus’ chief technology officer Jason Yan said in a blog post. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.
We sincerely apologize to all of our users who were affected by this breach. Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be, and what we are doing about it.
Right now there isn’t any evidence of unauthorized logins occurring in relation to this. No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared.
As a precaution, Disqus has reset the passwords of all affected users and advised them to change their passwords on other services and platforms if they happen to share the same credentials. The company also warned users against possible spam and phishing emails since email addresses were exposed in plain text in the attack.
Since emails were stored in plain-text, it’s possible affected users may receive unwanted email. Disqus doesn’t believe there is any threat to user accounts as it has made improvements over the years to significantly increase password security. One of those improvements was changing the password hashing algorithm from SHA1 to bcrypt.
If your account is affected by the data breach, you will receive an email from Disqus requesting that you change your password. The company is continuing to investigate the breach and will share new information on its blog when it becomes available.