Disqus, the blog comment hosting service for websites and online communities, just confirmed a security breach. Here are details about the breach and the rapid response from Disqus that is generating positive comments.

Disqus Data Breach Details

Disqus was alerted on October 5 of the breach by Have I Been Pwned? – a site that tells you if your email address was compromised in a breach.  Details about the breach and their response were highlighted on their website, along with a complete timeline:

  • The breach exposed a snapshot of data (email addresses, Disqus user names, sign-up dates, and last login dates in plain text) of the user database (+17 million users) from 2012, including information dating back to 2007.
  • Passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users were included in the breach.
  • No plain text passwords were exposed, but it’s possible for this data to be decrypted.
  • As a security precaution, Disqus reset the passwords for all affected users, and recommended that all users change passwords on other services if they’re shared.
  • Disqus is forcing the reset of passwords for all affected users and contacting all of the users whose information was included to inform them of the situation.
  • Disqus stated that they have made significant upgrades to their database and encryption since 2012 in order to prevent breaches and increase password security. At the end of 2012, Disqus changed the password hashing algorithm from SHA1 to bcrypt.

Breach Ramifications

Hackers could use the stolen information as part of social engineering techniques, so several outlets have advised impacted users to beware of spam and phishing emails carrying malicious file attachments.

Disqus notes that impacted users should change passwords on other services if these services share the Disqus password. Sharing passwords across multiple services is a bad idea. To make it easy to create and manage unique passwords, use a password manager and consider enabling two-factor authentication where you can.

Have I Been Pwned? is a free service that collects the databases of account information stolen by hackers and informs members if their information is affected. Consider signing up for the service as another way to protect your data security.

The Power of a Good Response

On his website, Troy Hunt (who runs the Have I Been Pwned? website) shared his tweet highlighting Disqus’ quick response:

Hunt goes on to specify several things that Disqus got right in their response, including:

  1. They applied urgency
  2. They disclosed early
  3. They protected impacted accounts very quickly by resetting passwords
  4. They provided details
  5. They apologised

This quick and transparent response received many favorable comments on Twitter.

Room for Improvement

While the response to the breach was noted as quick, the breach highlights ongoing challenges for organizations to quickly identify and deal with incidents. Infosecurity Magazine commented:

“Failing for over five years to realize the data had been compromised once again highlights the lack of visibility many firms have into network activity.”

The delay in noticing the breach confirms the need for active listening programs to combat cyber security threats. Detection software that provides employee, website/application, and privileged user monitoring can help organizations rapidly identify and respond to threats.