On Friday evening, the worldwide blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012.
In 2012, hackers have stolen details for at least 17.5 million Disqus user accounts.
The popular cyber security expert Troy Hunt, who runs the data breach notification service haveibeenpwned.com, come into the possession of a copy of the stolen data.
— Have I been pwned? (@haveibeenpwned) October 6, 2017
Hunt reported the issue to Disqus staff on Friday afternoon.
— Troy Hunt (@troyhunt) October 6, 2017
Disqus has already started notifying users that were listed in the archive reported by Troy Hunt, the exposed records include email addresses, usernames, sign-up dates, and last login dates in plain text. The experts noticed that SHA-1 hashed passwords were only included for about 33% of all records.
Disqus declared that at the end of 2012, it switched the password hashing algorithm from SHA1 to bcrypt.
“Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.” states the breach notification puclished by Disqus.
According to Disqus, the last entry in the dump is from July 2012, this could be the exact moment when the data breach took place.
In response to the incident, the company started contacting users and resetting the passwords related to the users that had passwords included in the breach.
“As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.” continues the Disqus data breach notification.
“We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”
According to Disqus, there is no evidence of unauthorized logins or any other abuses associated with the stolen data.
The company is still investigating the incident.