Disqus, the “number one blog comment hosting service for websites and online communities” was apparently breached by hackers back in 2012. The company has only discovered this breach now and has confirmed it in an official announcement. While it may have remained oblivious to this breach for over half a decade, to its credit the company investigated and confirmed the breach in less than a day after it was notified.
“Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012,” the company said in its announcement post today. “While we are still investigating the incident, we believe that it is best to share what we know now.”
— Troy Hunt (@troyhunt) October 6, 2017
The company has revealed that a “snapshot” of its user database that carried information dating back to 2007 was stolen by unknown attackers. This data includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5 million users. Around one third of these affected users may have also lost their passwords hashed using SHA1 to the hackers.
Disqus says it hasn’t found any evidence of unauthorized logins
While it has only been a day, the company says so far it hasn’t found any evidence that the data was used for unauthorized access. “Email addresses are in plain text here, so it’s possible that affected users may receive spam or unwanted emails,” the company added.
Disqus was notified about this breach by famous security researcher, Troy Hunt, who found a copy of the stolen data and informed Disqus on October, 5. Hunt tweeted that it took the company less than 24 hours to respond to the breach and disclose it publicly (ahem SEC, Equifax…).
The company added in its breach disclosure that it had switched password hashing algorithm from SHA1 to bcrypt later in 2012.
Disqus is one of the web’s largest providers of hosted discussion systems. While it says so far no unauthorized access has been detected, the company has started forcing affected users to reset their passwords. “We are contacting all of the users whose information was included to inform them of the situation,” it said, promising to keep its users updated with more information if anything new surfaces. “Your trust in Disqus is important to us and we’re working hard to maintain that.”