Disqus reveals 17.5 million users affected by security breach in 2012
Popular comment hosting service Disqus has urged its users to reset passwords on other services if they are shared.tech Updated: Oct 07, 2017 17:28 IST
Comment hosting service Disqus on Friday revealed that it had suffered a major security breach in 2012. The company said that it was alerted by an independent security researcher, Troy Hunt, on October 5 about the breach. Disqus has confirmed that a snapshot of its user database from 2012, which includes information dating back to 2007, was leaked.
Data exposed includes email addresses, sign-up dates, Disqus user names, and last login dates in plain text. It also has passwords (not in plain text format) for about one-third of the total user base. The company says the security breach affected 17.5 million users.
“Right now there isn’t any evidence of unauthorized logins occurring in relation to this. No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared,” the company said in a blog post.
Since the email addresses were exposed in plain text, Disqus says the affected users may have received spam emails. “At this time, we do not believe that this data is widely distributed or readily available. We can also confirm that the most recent data that was exposed is from July, 2012,” it added.
Disqus has forced the reset of passwords for all affected users. The company is also reaching out to users whose information was leaked online.
“Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt,” it added.
SHA-1 is a cryptographic hash function which was designed by the US’ National Security Agency. bcrypt, another password hashing function, is believed to be a more secure technology over SHA-1. ALSO READ: Have I been ‘pwned’? Click here to find out safety status of your accounts, passwords
The latest report comes shortly after Yahoo’s recent disclosure that all of its users were affected by a security breach in 2013. The internet giant, which has now been acquired by Verizon, around 3 billion account details were exposed.