Disqus Data Breach: 17.5 Million Exposed, Shows Rapid Response

Disqus, the blog comment hosting service for websites and online communities, just confirmed a security breach. Here are details about the breach and the rapid response from Disqus that is generating positive comments.

Disqus Breach: 17.5 Million Exposed, Shows Rapid Response

Disqus Data Breach Details

Disqus was alerted on October 5 of the breach by Have I Been Pwned? – a site that tells you if your email address was compromised in a breach.  Details about the breach and their response were highlighted on their website, along with a complete timeline:

  • The breach exposed a snapshot of data (email addresses, Disqus user names, sign-up dates, and last login dates in plain text) of the user database (+17 million users) from 2012, including information dating back to 2007.
  • Passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users were included in the breach.
  • No plain text passwords were exposed, but it’s possible for this data to be decrypted.
  • As a security precaution, Disqus reset the passwords for all affected users, and recommended that all users change passwords on other services if they’re shared.
  • Disqus is forcing the reset of passwords for all affected users and contacting all of the users whose information was included to inform them of the situation.
  • Disqus stated that they have made significant upgrades to their database and encryption since 2012 in order to prevent breaches and increase password security. At the end of 2012, Disqus changed the password hashing algorithm from SHA1 to bcrypt.

Breach Ramifications

Hackers could use the stolen information as part of social engineering techniques, so several outlets have advised impacted users to beware of spam and phishing emails carrying malicious file attachments.

Disqus notes that impacted users should change passwords on other services if these services share the Disqus password. Sharing passwords across multiple services is a bad idea. To make it easy to create and manage unique passwords, use a password manager and consider enabling two-factor authentication where you can.

Have I Been Pwned? is a free service that collects the databases of account information stolen by hackers and informs members if their information is affected. Consider signing up for the service as another way to protect your data security.

The Power of a Good Response

On his website, Troy Hunt (who runs the Have I Been Pwned? website) shared his tweet highlighting Disqus’ quick response:

Hunt goes on to specify several things that Disqus got right in their response, including:

  1. They applied urgency
  2. They disclosed early
  3. They protected impacted accounts very quickly by resetting passwords
  4. They provided details
  5. They apologised

This quick and transparent response received many favorable comments on Twitter.

Room for Improvement

While the response to the breach was noted as quick, the breach highlights ongoing challenges for organizations to quickly identify and deal with incidents. Infosecurity Magazine commented:

“Failing for over five years to realize the data had been compromised once again highlights the lack of visibility many firms have into network activity.”

The delay in noticing the breach confirms the need for active listening programs to combat cyber security threats. Detection software that provides employee, website/application, and privileged user monitoring can help organizations rapidly identify and respond to threats.

Marianna Noll

Marianna Noll

Marianna Noll is a Maryland-based writer with an interest in the impact that technology has on organizations and users. She writes about software, user adoption and engagement with software, and IT security.

You may also like...

2 Responses

  1. October 23, 2017

    […] Heart It were prompt in notifying both affected users and the public. Like the recent Disqus data breach, this breach was discovered by Troy Hunt who runs the Have I Been Pwned? website. Hunt notified We […]

  2. November 22, 2017

    […] READ MORE: How to Create an Insider Incident Response Plan Why Data Breach Lag Time Matters The Rise of Threat Hunting 3 Things Deloitte Could’ve Done Better (and small businesses can learn from) Disqus Data Breach: 17.5 Million Exposed, Shows Rapid Response […]

Leave a Reply

Your email address will not be published. Required fields are marked *