Disqus Hack: +17.5M Users Exposed in 2012 Breach

A Disqus hack that took place in 2012, but was discovered only on the 5th of October, took the security news internet by a storm.

The company which provides a web-based comment plugin for websites and blogs, has admitted in a security news update that it was breached 5 years ago in July 2012 and hackers stole details of more than 17.5 million users by taking a snapshot of the database.

Want to stay up to date with security news? Please subscribe to our NEW LinkedIN group , Like our Facebook page, or join our FREE Newsletter… Or do all! It’s free and you will always be informed.

The stolen data includes email addresses, usernames, sign-up dates, and last login dates in plain text for all 17.5 million users. In addition, hackers put their hands on one third of the passwords where were salted and were using weak encryption algorithm SHA-1.

According to Jason Yan, the security breach was only discovered Thursday at 4.18pm PT, when Australian Microsoft manager and HaveIBeenPwned overlord Troy Hunt spotted the lifted data in the wild. Within an hour, Yan said, the Disqus team had analyzed and verified the data as authentic.

… we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.

Timeline Of Events:

Thursday, October 5, 2017 at 4:18 PM PDT, we were contacted by an independent security researcher, who informed us that the Disqus data may be exposed.
At 4:56PM PDT we obtained the exposed data and immediately began to analyze the data and verify its validity.
Friday, October 6, 2017, we started contacting users and resetting the passwords of all the users that had passwords included in the breach.
Before 4:00PM PDT, we published this public disclosure of the incident.

To avoid further impacts of Disqus hack, the company forcing the reset of passwords for all affected users. The company is contacting all of the users whose information was included to inform them of the situation.

We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.

Disqus hack could’ve been much worse, especially on the PR side. The company did a good job responding quickly to the security news.

These news come after a busy few weeks of hacking and security news, crowned by Equifax and Deloitte.

Mohamad El Hout, MBA, M.Eng., CISSP

Mohamad is an entrepreneur and a Senior Security Consultant dealing with the design and delivery of standard and complex security gateway solutions, covering a wide range of cutting edge technologies. His interests include business, technology, leadership, sports, and the continuous pursuit of knowledge.

Leave a Reply

%d bloggers like this: