The Daily Swig Web security digest

Rapid response: Disqus alerts users to hack in just 24hrs

James Walker | 09 October 2017 at 10:00

Blog comment hosting service commended for quick actions over data breach.

Disqus, the market-leading blog comment hosting service, has been hit by a security breach thought to have exposed the data of more than 17 million users.

The company, which offers a range of add-on tools that help websites increase visitor engagement, said last week that a snapshot of its user database from 2012 was exposed.

This included email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5 million users.

Additionally, passwords – hashed using SHA1 with a salt – for about one-third of users were also compromised.

While the breach raises serious questions over Disqus’ data management protocols, cybersecurity experts praised the San Francisco-based company’s rapid response in alerting users to the situation.

After finding out about the breach on October 5, it took the Silicon Valley firm less than 24 hours to make its findings public.

“While we are still investigating the incident, we believe that it is best to share what we know now,” Disqus said in a blog post.

----------------------------------------

Timeline of events

  • Thursday, October 5, 2017 at 4:18 PM PDT. Disqus informed of breach by independent security researcher.
  • Thursday, October 5, 2017 at 4:56PM PDT. Company obtains and verifies exposed data.
  • Friday, October 6, 2017. Disqus starts contacting users and resetting affected passwords.

  • Friday, October 6, 2017, before 4:00PM PDT. Public disclosure of breach
----------------------------------------


In addition to the customer emails and update on the group’s website, Disqus changed its Twitter title tag to alert users of the breach:

Although the Disqus said it had made “significant upgrades” to its database and encryption since 2012, the company has forced the reset of passwords for all affected users as a “precautionary measure”.

The independent security researcher who informed Disqus of the breach was Troy Hunt, owner of the Have I Been Pwned website, which allows internet users to check if their personal data has been compromised.

Discussing the company’s quick response to its knowledge of the breach, Hunt said: “We all jumped on ‘the Equifax dumpster fire bandwagon’ recently and pointed to all the things that went fundamentally wrong with their disclosure process.

“But it’s equally important that we acknowledge exemplary handling of data breaches when they occur because that's behavior that should be encouraged.”

Hunt added: “This was a dark moment for Disqus and there’s no sugar-coating the fact that somehow, somewhere, someone on their end screwed up and they lost control of customer data.

“But look at the public sentiment after their disclosure. Because of the way Disqus handled the situation, it’s resoundingly positive.”