If you have a Disqus account, you might want to change your password. The online commenting platform (which powered this site’s comments up until this earlier year), announced that it suffered a security breach in 2012 and that data for about 17.5 million users was compromised.

While the breach happened 5 years ago, Disqus just found out about it on October 5th after being informed by Troy Hunt, who runs the HaveIBeenPwned website.

The company is forcing all affected users to reset their passwords, but it probably wouldn’t be a bad idea for you to do that on your own from time to time.

So what data was obtained by hackers? Usernames, email addresses, sign-up dates, and last-login dates were included. And so were passwords for about a third of the users. Those passwords weren’t in plain text, they were encrypted using an SHA-1 has function with a salt.

Disqus says there “isn’t any evidence of unauthorized logins occurring in relation to this.” But there’s a small chance that someone could break the encryption and access that data, which is why a password reset seems like a good idea.

And if you’re using the same password for multiple services including Disqus:

  1. Don’t do that.
  2. Change your passwords on those other services as well.

If you want to know if your email address or username has been involved in any security breaches, HaveIBeenPwned is a good place to start. Hunt’s site may not have a comprehensive list of all breaches, but it’s one of the best ways to find out if your data was involved in one that’s been publicly disclosed.

Hunt also notes that Disqus basically did about as good a job of disclosing this breach as could be expected from any company by verifying the information, taking action to protect user data, and alerting users within 24 hours… although it took 5 years for the company to notice the problem in the first place.

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Subscribe to Liliputing via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 9,547 other subscribers

10 replies on “Disqus discloses 2012 security breach”

  1. A lot of people uses the same password across all services, because they can’t remember many different passwords. What I do is I generate a password from the service I’m trying to use, a number and some words from my favorite poem. This way I don’t have to remember it, because I can reconstruct it every time, and it’s different across every service.

    1. I personally use an account just for the rubbish, like commenting and forums(this one), a totally different account for all online shopping, a third for my actual semi-official communication and a fourth for gov’t and bank communications. Still you can never be too careful.

    2. If someone got the plaintext of your passwords, could they reconstruct your algorithm? How many would it take to crack all of them, or at least then reduce the search space to a brute forcible number?

      Just curious. I use a similar scheme, but I still include enough mnemonic “salt” to keep things safe.

  2. It only took 5 years to disclose it? Yeah, I am sure they didn’t noticed before. Definitely.

  3. disqus is an online commenting noise maker. Like many similar sites, people should sign up with a disposable email account. Dump the account after a few months and sign up with a new account later on. Do the same for reddit, HN, forums, etc…

    It’s not like all these DBs aren’t being recycled for (at minimum) monetary gain anyway. In essence, they have all been pre-hacked. If internet points are important to you… you are not seeing the big picture.

  4. how do the multimillion dollar companys get hakked so often,,are they using Hillays it security guy??

    1. Respectfully, get over it. It has never been indicated that Hillary’s email server was hacked. She illegally used a private, non-government email server. This is therefore an entirely different issue; legally private servers actually getting hacked.

      1. It’s never been proven Hillary’s email server WASN’T hacked either – and even that noted DNC house organ The NY Times published a story quoting experts saying Hillary’s email was probably hacked (https://www.nytimes.com/2016/07/07/us/hillary-clintons-email-was-probably-hacked-experts-say.html)

        Dave Samson was just making a little joke. The internet is awash with references to conservatives/Republicans as the butt of jokes over never-substantiated rumors, innuendo, etc. Why should Hillary Clinton get a pass? Respectfully, I suggest you take your own advice and get over it.

      2. I can’t believe this comment got five thumbs up votes on a tech site. Lot’s of ignorance on a tech issue. Even ignoring how difficult that would be to prove normally, Hillary did not make it any easier with her efforts to cover her tracks. And clearly she did not have the best security. It would be somewhat amazing if she hadn’t been hacked.

Comments are closed.