Posted on October 9, 2017 at 12:41 PM
Disqus Admits to Security Breach in 2012
The widely popular plug-in recently admitted that they suffered a huge data breach in 2012 which has affected millions of users.
Disqus confirmed this past week that their web commenting system was hacked in July 2012. Disqus is a company which creates and provides a commentary plug-in for mainly news websites. The company confirmed this past Friday that they suffered a huge data breach during July 2012, where hackers were able to steal more than 17.5 million email addresses.
Only one-third of compromised accounts actually contained passwords that were salted and hashed using the weak SHA-1 algorithm. Since 2012, this algorithm has been replaced in favor of stronger password scrambles. The stolen information also contained sign-up dates of the millions of affected users as well as the last login.
While the company admitted to the data theft occurring in 2012, some of the vulnerable user information dates as far back as 2007.
According to experts, a large number of the compromised accounts did not even have passwords, since many users opted to sign into Disqus using third-party services such as Facebook or Google.
The data breach was only discovered this past week. The database in question was sent to Troy Hunt, who is the administrator of the popular breach notification platform Have I been Pwned. Hunt discovered the data theft and notified Disqus.
The company created a blog post which explained the data breach to users less than 24 hours after Hunt notified them. According to the blog post, there was no previous evidence of unauthorized logins or suspicious activity. Disqus stated that they will communicate to affected users via email in more detail about the breach and what the can do to protect themselves.
It is likely that all affected users will have to reset their passwords or have a force-reset.
In addition, Disqus also urged users who use the same passwords for Disqus and other sites, to immediately change their passwords on all affected accounts. Jason Yan, chief technology officer of Disqus stated in the blog post that the company has made significant upgrades to their security precautions as well as their database encryption to prevent data thefts and to maximize password security.
According to Yan, Disqus changed their password hashing to bcrypt, a significantly more powerful password scrambler. Disqus has actively been using Bcrypt since late 2012, and several other security enhancements have since been put in place.
On the blog post, Yan emphasized that the Disqus team were still investigating the data breach, but the company felt obligated to share all available information to their users as soon as possible. Chief executive of Disqus, Daniel Ha stated that the company was currently engaged in investigating all responsible and necessary disclosures with both users and governmental agencies.
He also stated that less than 10% of the company’s data was compromised. Since 2012, the company’s users database has increased by five-fold.
According to the company, over 50 million comments are posted every month using their platform. Several other companies have recently admitted to huge data breaches, including LinkedIn, MySpace, and Yahoo. A security expert from Have I Been Pwned, Tony Hunt, commended Disqus on their remarkably quick response time.
According to Hunt, the company was able to assess the breached data, establish a timeline of events, reset the password of affected users, draft up transparent announcement, and speak openly to the press regarding the matter all within a day of first being notified of the data theft.
Hunt added that this response time is the gold standard for incidents regarding cybercrime, and according to Hunt, more companies should aspire to Disqus’s response time.
Hunt has also stated that approximately 71% of the affected email addresses were already in the Have I been Pwned database. Currently, this database consists of more than 4.7 compromised accounts.
