Commenting platform Disqus is used by hundreds of popular websites including Rolling Stone, TMZ, The Atlantic, and even here at Techaeris. The platform offers a robust and easy to use and moderate commenting system for websites. The company has been in the business for many years, and on Thursday they suffered a data breach. While no data breach is good, the breach seemed to only affect one 2012 database of users and not the entire system. The Disqus user database from 2012, which included information dating back to 2007, was exposed. The information hackers were able to get included email addresses, Disqus usernames, sign-up dates, and lost login dates in plain text for 17.5 million users. Passwords were also exposed but not in plain text, those were hashed using SHA1 with a salt.
We sincerely apologize to all of our users who were affected by this breach. Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be, and what we are doing about it.
Timeline Of Events:
- Thursday, October 5, 2017, at 4:18 PM PDT, we were contacted by an independent security researcher, who informed us that the Disqus data may be exposed.
- Thursday, October 5, 2017, at 4:56 PM PDT, we obtained the exposed data and immediately began to analyze the data and verify its validity.
- Friday, October 6, 2017, we started contacting users and resetting the passwords of all the users that had passwords included in the breach.
- Friday, October 6, 2017, before 4:00 PM PDT, we published this public disclosure of the incident.
Disqus says there is no evidence of unauthorized logins on any of the accounts affected. While the passwords that were exposed are encrypted, there is a chance hackers could decrypt those if they wanted to. The company has already reset the passwords of affected users and is recommending all users change their passwords. Email addresses were in plain text so users may potentially see an increase in spam email.
As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.
We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt.
Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible. If more information surfaces we will update this post and share any updates directly to users. Again, we’re sorry about this. Your trust in Disqus is important to us and we’re working hard to maintain that.
We also recommend all of our users reset their Disqus password straight away. What do you think of this latest data breach? Let us know what you think in the comments below, or on Google+, Twitter, or Facebook.Source: DisqusBlog