Popular blog comment service Disqus announced recently that it experienced a breach of its systems in 2012 that resulted in 17.5 million user email addresses and passwords being stolen by hackers.
The five-year-old incident that went undetected until recently also exposed the Disqus usernames associated with an individual’s email, the date the account was created, and the date of last time a user logged in. According to Disqus, the hack of its database occurred sometime in July 2012, and was first brought to light on October 5, 2017 by an independent security researcher who discovered Disqus data online. Information exposed in the breach dated back as far as 2007.
While passwords for about one-third of the stolen user accounts were included in the breach, there is some good news and bad news regarding their potential exposure.
The good news is Disqus did not store the passwords in plaintext. The company used a hashing algorithm that included a salting function—a process that inserts random data into a password when it is stored in order to make it difficult for a hacker to crack.
The bad news is that Disqus did its hashing with the SHA1 algorithm—a previous web standard that has since been phased out after researchers discovered it was possible to crack the algorithm and unmask hashed information. Disqus has since switched to the more secure bcrypt algorithm for password hashing.
Disqus has reported no evidence of an unauthorized login attempt in relation to the breach. As a safety precaution, the company automatically reset the passwords of all user account that were discovered to have been stolen.
If a person used the same email address and password to login to other accounts, though, a breach like this one could create additional concern. Any account with a reused password is at risk of being compromised. Users are advised to change the password of any account that may have had the same password as their Disqus account. Disqus also warned since the email addresses were stored in plain text, users may experience an increase in spam or phishing attempts targeting their account.