If you have a Disqus account, you might want to change your password. The online commenting platform (which powered this site’s comments up until this earlier year), announced that it suffered a security breach in 2012 and that data for about 17.5 million users was compromised.
The company is forcing all affected users to reset their passwords, but it probably wouldn’t be a bad idea for you to do that on your own from time to time.
So what data was obtained by hackers? Usernames, email addresses, sign-up dates, and last-login dates were included. And so were passwords for about a third of the users. Those passwords weren’t in plain text, they were encrypted using an SHA-1 has function with a salt.
Disqus says there “isn’t any evidence of unauthorized logins occurring in relation to this.” But there’s a small chance that someone could break the encryption and access that data, which is why a password reset seems like a good idea.
And if you’re using the same password for multiple services including Disqus:
- Don’t do that.
- Change your passwords on those other services as well.
If you want to know if your email address or username has been involved in any security breaches, HaveIBeenPwned is a good place to start. Hunt’s site may not have a comprehensive list of all breaches, but it’s one of the best ways to find out if your data was involved in one that’s been publicly disclosed.
Hunt also notes that Disqus basically did about as good a job of disclosing this breach as could be expected from any company by verifying the information, taking action to protect user data, and alerting users within 24 hours… although it took 5 years for the company to notice the problem in the first place.