Popular comments and discussion tool Disqus has confirmed that its comment system was hacked.
Today, the company confirmed that hackers got access to over details of 17.5 million users in a data breach in July 2012. It surprising to see that the company got this information almost 5 years after the breach.
The company was informed about this data breach on 5th October by an independent security researcher Troy Hunt, who obtained a copy of the site’s information.
Troy Hunt is the person who runs data breach notification service Have I Been Pwned. He confirmed that 71% of emails leaked in this breach were already the part of Have I Been Pwned’s database.
The stolen data includes email addresses, usernames, sign-up dates, and last login dates in plain text formats. Hackers also got access to encrypted passwords for one-third of affected users. The passwords were salted and hashed using the weak SHA-1 algorithm.
The company confirmed that it made lots of improvements on its system after 2012. Now they are using bcrypt, a much stronger password scrambler. The company also said that stolen password only represents less than 10 percent of the company’s current user base.
Now the Disqus has advised all users to change the password. If you use same email password combination on other websites, changer it there as well. Hackers can try these login details on several websites to get access to your other web accounts. They also use it for social engineering. So, you should be alert and avoid any legit looking phishing emails.
It is still unclear how hackers got access to this data. Disqus is still actively investigating this security incident.
Source: Disqus Blog
