Disqus Confirms 17.5 Million Accounts Hacked During 2012 Security Breach

Do you know what hackers were doing around this time five years ago? They were breaking into a database at Disqus, the popular blog comment hosting service supported by scores of websites, in many cases in place of traditional web forums (remember those?). Disqus only found out about it this past Thursday and began alerting users a day later, rather than waiting like many companies often do.

"On October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now," Disqus stated in a blog post. "We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed."

Image Source: Flickr (Amber Rae)

Disqus said the snapshot contained email addresses, user names, sign-up dates, and last login dates in plain text for around 17.5 million users. It also included passwords for around one-third of affected users, though not in plain text—they were hashed using SHA1 with a salt. That means they were encrypted with an added layer of protection, making them difficult (though not impossible) to crack.

"Right now there isn’t any evidence of unauthorized logins occurring in relation to this. No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared," Disqus added.

Disqus believes the bigger threat from this is that users may receive spam or other unwanted emails, as users' email addresses were stored in plain text. Nevertheless, Disqus has reset the passwords for all affected accounts. We should also mention that HotHardware was not using Disqus for our comments engine at the time of the breach in 2012.