A Disqus hack that took place in 2012, but was discovered only on the 5th of October, took the security news internet by a storm.
The company which provides a web-based comment plugin for websites and blogs, has admitted in a security news update that it was breached 5 years ago in July 2012 and hackers stole details of more than 17.5 million users by taking a snapshot of the database.
The stolen data includes email addresses, usernames, sign-up dates, and last login dates in plain text for all 17.5 million users. In addition, hackers put their hands on one third of the passwords where were salted and were using weak encryption algorithm SHA-1.
According to Jason Yan, the security breach was only discovered Thursday at 4.18pm PT, when Australian Microsoft manager and HaveIBeenPwned overlord Troy Hunt spotted the lifted data in the wild. Within an hour, Yan said, the Disqus team had analyzed and verified the data as authentic.
… we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.
Timeline Of Events:
Thursday, October 5, 2017 at 4:18 PM PDT, we were contacted by an independent security researcher, who informed us that the Disqus data may be exposed.
At 4:56PM PDT we obtained the exposed data and immediately began to analyze the data and verify its validity.
Friday, October 6, 2017, we started contacting users and resetting the passwords of all the users that had passwords included in the breach.
Before 4:00PM PDT, we published this public disclosure of the incident.
To avoid further impacts of Disqus hack, the company forcing the reset of passwords for all affected users. The company is contacting all of the users whose information was included to inform them of the situation.
We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.
Disqus hack could’ve been much worse, especially on the PR side. The company did a good job responding quickly to the security news.