Disqus confirms 2012 hack of its comments tool
(Image: file photo)
Disqus has confirmed its web commenting system was hacked.
The company, which builds and provides a web-based comment plugin for news websites, said late Friday that hackers stole more than 17.5 million records in a data breach in July 2012.
About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers.
Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google.
The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach.
The company said in a blog post, posted less than a day after Hunt's private disclosure, that although there was no evidence of unauthorized logins, users whose passwords were exposed will receive an email notification to reset their passwords.
"Since 2012, as part of normal security enhancements, we've made significant upgrades to our database and encryption in order to prevent breaches and increase password security," said Jason Yan, chief technology officer.
The company warned users who have used their Disqus password on other sites to change the password on those accounts.
Yan also confirmed that at the end of 2012, the company changed its password hashing to bcrypt, a much stronger password scrambler.
"Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible," said Yan.
According to Hunt, 71 percent of email addresses were already in Have I Been Pwned's database of more than 4.7 million records.
Disqus joins several other companies, like LinkedIn, MySpace, and Yahoo, who have in the past year and a half revealed a historical data breach dating back to the turn of the decade.
from Latest Topic for ZDNet in... http://ift.tt/2xo1RUb