Wednesday 11 October 2017, Poradnik bezpieczeństwa

Disqus users’ data leakage exposed

Lost24

Disqus – a worldwide blog comment hosting service for web sites and on-line communities, has admitted that it was hacked 5 years ago in July 2012.

The stolen data included e-mail addresses, usernames, sign-up dates, and last login dates in plain text for over 17.5 million users. The hackers also got their hands on passwords for about 71% of the affected users, which were salted and hashed using the weak SHA-1 algorithm.

The theft was discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach. The company claims that although there was no evidence of unauthorized logins, affected users will be e-mailed about the breach, and their previous passwords will be forcefully reset. In addition, Disqus explained that it had switched from SHA-1 to much more secure bcrypt algorithm, which makes it difficult for hackers to obtain user’s actual password.

It is most likely that hackers could use this stolen information in tandem with social engineering techniques to gain further information on victims. Therefore, it is advised to beware of spam and phishing e-mail massages containing malicious file attachments.