Disqus Breached: Change Your Passwords
Posted by: Jon Ben-Mayor on 10/09/2017 08:05 AM
[
Comments
]
If you have a Disqus account and log in via direct password rather than from another platform then you should probably change your password - as well as any recycled passwords for other accounts.
Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus usernames, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.
We sincerely apologize to all of our users who were affected by this breach. We intend to be as transparent as possible about what happened, when we found out, what the potential consequences may be, and what we are doing about it.
Timeline Of Events:
Thursday, October 5, 2017, at 4:18 PM PDT, we were contacted by an independent security researcher, who informed us that the Disqus data might be exposed.
Thursday, October 5, 2017, at 4:56 PM PDT we obtained the exposed data and immediately began to analyze the data and verify its validity.
Friday, October 6, 2017, we started contacting users and resetting the passwords of all the users that had passwords included in the breach.
Friday, October 6, 2017, before 4:00 PM PDT, we published this public disclosure of the incident.
Potential Impact For Users:
Right now there isn’t any evidence of unauthorized logins occurring in relation to this. No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared.
Email addresses are in plain text here, so it’s possible that affected users may receive spam or unwanted emails.
At this time, we do not believe that this data is widely distributed or readily available. We can also confirm that the most recent data that was exposed is from July 2012.
What We Are Doing to Address This:
As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.
Disqus showed a level of responsibility (responsibility lost on Equifax) that is refreshing by publicly announcing the breach just 24 hours after it was presented to them. So for that kudos.
Tim and Jim have preached the password issue for ages, never use the same password for multiple accounts and use unique passwords - always! We also have an informative write-up by Jim that covers Password Management as well that you will find helpful. We also have some excellent password management utilities to choose from to make the process of keeping track of multiple passwords easier.
Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus usernames, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.
We sincerely apologize to all of our users who were affected by this breach. We intend to be as transparent as possible about what happened, when we found out, what the potential consequences may be, and what we are doing about it.
Timeline Of Events:
Thursday, October 5, 2017, at 4:18 PM PDT, we were contacted by an independent security researcher, who informed us that the Disqus data might be exposed.
Thursday, October 5, 2017, at 4:56 PM PDT we obtained the exposed data and immediately began to analyze the data and verify its validity.
Friday, October 6, 2017, we started contacting users and resetting the passwords of all the users that had passwords included in the breach.
Friday, October 6, 2017, before 4:00 PM PDT, we published this public disclosure of the incident.
Potential Impact For Users:
Right now there isn’t any evidence of unauthorized logins occurring in relation to this. No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared.
Email addresses are in plain text here, so it’s possible that affected users may receive spam or unwanted emails.
At this time, we do not believe that this data is widely distributed or readily available. We can also confirm that the most recent data that was exposed is from July 2012.
What We Are Doing to Address This:
As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.
Disqus showed a level of responsibility (responsibility lost on Equifax) that is refreshing by publicly announcing the breach just 24 hours after it was presented to them. So for that kudos.
Tim and Jim have preached the password issue for ages, never use the same password for multiple accounts and use unique passwords - always! We also have an informative write-up by Jim that covers Password Management as well that you will find helpful. We also have some excellent password management utilities to choose from to make the process of keeping track of multiple passwords easier.
Comments
