Email addresses and other data associated with roughly 17.5 million accounts on Disqus, a popular online comment hosting service, were exposed as the result of a newly discovered security breach, according to the company.
Disqus recently learned that a database containing five years’ worth of user records was breached, the company said Friday, in turn exposing the email addresses, user names, sign-up dates and last login dates for about 17.5 million registered accounts.
Encrypted passwords pertaining to about 5 million Disqus users were also leaked, the company said in a statement.
“Right now there isn’t any evidence of unauthorized logins occurring in relation to this. No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely),” Disqus said in a statement. “As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared.”
“We sincerely apologize to all of our users who were affected by this breach,” the statement said. “Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be and what we are doing about it.”
The breach affected a database from 2012 containing user records dating back to 2007, Disqus said.
Disqus provided online commenting services to about 35 million users across 750,000 websites as of 2011, according to its own statistics. The records compromised by the recently discovered breach represented less than 10 percent of the company’s current user base, Disqus CEO Daniel Ha told ZDnet.
The Washington Times website currently utilizes services offered by Disqus to provide visitors with a platform for commenting on articles. Other customers that use Disqus on their websites include fellow news outlets Bloomberg, Breitbart, CNN and CNBC, among others, according to the company.
Disqus said the breach was discovered Thursday afternoon by Troy Hunt, an acclaimed security researcher who runs a website — https://haveibeenpwned.com — that allows internet users to see if their personal data has been compromised by security breaches.
“In the space of less than 24 hours after first learning of the breach, Disqus has managed to assess the breach data, establish a timeline of events, reset passwords on impacted accounts, craft a very transparent announcement and liaise candidly with the press,” Mr. Hunt told ZDNet. “It’s a gold standard for responding to a security incident and sets a very high bar for others to aspire to in future.”
Mr. Hunt’s website currently hosts a database containing records for more than 4.7 billion user accounts compromised by security breaches. About 71 percent of the email addresses exposed by the Disqus breach already appeared on the database as the result of being exposed by earlier incidents, Mr. Hunt told ZDNet.