Global news commenting software maker Disqus suffered a major cyber breach Thursday that compromised email addresses and other details of almost 18m users!
Disqus revealed on Friday that along with usernames of nearly 18m users, hackers also compromised SHA1-hashed passwords for one-third of users.
The said breach occurred when unnamed hackers got their hands on a snapshot of one of the firm’s databases from 2012. The database contained information of millions of Disqus users dating back to 2007, including SHA-1 hashed passwords, usernames, and last login dates for 17.5 million users.
‘The snapshot includes email addresses, Disqus usernames, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included,’ said Jason Yan, CEO of Disqus in a blog post published on Friday.
Yan added that the firm was contacted by an independent security researcher on Thursday, informing them of the suspected breach. Once Disqus examined the breached data and verified its validity, it reset the passwords of all affected users, contacted affected users to inform them of the breach, and then disclosed the incident publicly before 4PM on Friday.
Even though passwords belonging to one-third of the breached accounts were stored in the database and protected with password hashing algorithm from SHA-1, Disqus admitted that such passwords can be decrypted and has asked all users to change their passwords immediately. At the same time, the firm has also admitted that all breached email addresses are in plain text and can be used for spam and marketing correspondence.
‘Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.
‘Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible. If more information surfaces we will update this post and share any updates directly to users,’ Yan added.
Troy Hunt, the security researcher who informed Disqus of the breach, has lauded the firm for their ‘exemplary handling’ of the data breach. A number of other Twitter users also chipped in, stating that public disclosure of the breach within 24 hours was an unexpected one.
’23 hours and 42 minutes from initial private disclosure to @disqus to public notification and impacted accounts proactively protected,’ Hunt wrote on Twitter.
‘Extremely rare to see any organization with millions of users react that quickly after a breach. Usually takes weeks for the “quick” ones,’ chipped in another user.
‘This is how you handle a breach…upfront and explained in basic terms. Way to go @disqus, now off to change my password ;-),’ added an affected user.
‘We all jumped on “the Equifax dumpster fire bandwagon” recently and pointed to all the things that went fundamentally wrong with their disclosure process. But it’s equally important that we acknowledge exemplary handling of data breaches when they occur because that’s behaviour that should be encouraged,’ Troy wrote on his website.