Disqus said a 2012 breach discovered on October 5 exposed information on 17.5 million users from as far back as 2007.
A snapshot taken on the company's 2012 database included user names, sign-up and last login dates and email addresses in plain text as well as passwords hashed using SHA1 with a salt for approximately one-third of users, in an alert posted by Disqus Co-founder and CTO Jason Yan.
“Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be, and what we are doing about it,” according to the alert, which apologized to its users.
The breach was brought to the attention of Disqus Thursday afternoon by researcher Troy Hunt.
“We are currently in process of emailing all of the impacted users directly,” Disqus Product Marketing Manager Mario Paganini wrote in a comment on the alert. “Getting all 17.5 million emails out will take us a few days, but we wanted to get this disclosure post out as soon as possible.” The company posted links to the disclosure on user homepages, the publisher admin panel as well as on disqus.com, Paganini wrote.
“The ongoing, rising waves of breaches such as Disqus, which remained undetected for years, together with the compromised PII resulting from recent mega-breaches, offers fraudsters a rich palette of personal data for account takeovers,” said Lisa Baergen, marketing director at NuData Security Inc.
Noting that it's time to retire password-based authentication, Baergen said that “informed consumers are feeling increasingly helpless and violated, and that each new breach further informs and rightfully spreads concern.”
She called for the industry to respond – “both for assured, secured transactions and to restore trust – by establishing highly secure digital trust based on the user's identity, via passive biometrics and other unique characteristics that can't be mimicked.”