Disqus Announces Data Breach On 2012 User Database

Disqus, the company behind the popular comment platform with the same name, announced that some its servers were breached and user information from a 2012 user database was stolen. The information dated back to 2007 and included email addresses, Disqus usernames, sign-up dates, and last login dates in plain text for 17.5 million users.

Passwords from about a third of the users were also stolen, but they were hashed with the now deprecated SHA1 algorithm, which means the attackers would still need to crack these passwords through brute-force in order to use them. Disqus announced the breach within 24 hours of finding out about it.

Impact For Users

Disqus said that it has seen no unauthorized logins in relation to this leaked database. This may be because no plain text passwords were leaked. However, the company noted that there’s still a risk that the hackers may try to decrypt some of the passwords. Therefore, Disqus reset everyone’s passwords to make the old passwords obsolete and worthless to the attackers. The company also recommended all Disqus users change their passwords on other services where they may have reused their Disqus passwords.

Although the passwords were hashed, email addresses were in plain-text, which means users may receive unwanted email in the future.

Disqus doesn’t believe the database is widely distributed right now. The most recent exposed data was from July, 2012.

Addressing The Problem

Beyond resetting everyone’s passwords, Disqus has also started notifying all 17.5 million users that were impacted by the data breach, so they can take further precautions on their own. The company also mentioned that the reason why the leaked data contains only user information from 2012 may be because that’s when it added some security upgrades to its servers. This included changing the hashing algorithm from SHA1 to bcrypt, which is currently one of the best industry standards for encrypting user passwords.

Disqus said that it will continue to investigate the issue and will share anything it finds in future announcements.  

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • poochiepiano
    Wow, releasing the news within 24 hours of discovery and not making shady stock decisions immediately after? You mean companies can do such a thing?
    Reply
  • cryoburner
    That, or they knew about it for years, and just kept silent about it until some security researcher discovered the database in the wild, and they had to act surprised. >_>
    Reply
  • kookykrazee
    I have not been notified that my password needs to be reset, as of today. hmmm
    Reply
  • linuxgeex
    If you used a social login, ie google account, then you didn't have a password to be reset and they may have just invalidated the platform secret so that you needed to authorize it again... many users wouldn't notice that they had to do that, they would just click the auth button and keep posting.
    Reply