We’ve brought you plenty of troubling hacking news here at SFist recently, from the Yahoo email account hacks to the recent Whole Foods breach to, you know, that thing that got Donald Trump elected president. But this one hits pretty close to home, as we learn that our own third-party commenting platform Disqus has been breached. ZDNet alerts us that some 17.5 million commenters' accounts were hacked as of July 2012 that means that you legacy commenters from prior to 2012 may have had your Disqus usernames, emails, and in some cases passwords from that period exposed. But we’re relieved to note that everyone whose data was breached is being notified by email, and if you don’t get that email in the near future then you’re likely clean. (Additionally, if you ‘Log in with Facebook’ your information is safe.)
The compromise was discovered by Have I Been Pwned who many of you have mixed feelings about but certainly does its due diligence on finding new breaches. (Just last week, Pwned notified several million users breached on Bit.ly and Kickstarter.) A whopping 17 million accounts are affected by this five-year-old breach, though SFist accounts are only a tiny percentage of these. Over the years, Disqus has been employed as the commenting platform for big, international websites like CNN and The Atlantic.
Disqus did acknowledge the breach and notify users within 24 hours of discovery. “We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed,” the company said in a Friday blog post. “The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users.”
But obviously, the passwords are going to be the biggest concern. The passwords were ‘salted’ in a Disqus internal database, but with an algorithm from that era that since largely been cracked. “No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely),” Disqus said. “As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared.”
“Email addresses are [exposed] in plain text here, so it’s possible that affected users may receive spam or unwanted emails, the company adds. “Right now there isn’t any evidence of unauthorized logins occurring in relation to this.”
If your data was exposed in this breach and my heart goes out to you, because mine was in there too you were likely already exposed from other large-scale hacks. ZDNet notes that “71 percent of email addresses were already in Have I Been Pwned's database of more than 4.7 billion records.”
Have I Been Pwned thinks Disqus’ response to the breach has been exemplary. “In the space of less than 24 hours after first learning of the breach, Disqus has managed to assess the breach data, establish a timeline of events, reset passwords on impacted accounts, craft a very transparent announcement and liaise candidly with the press," Have I Been Pwned admin Troy Hunt told ZDNet. "It's a gold standard for responding to a security incident and sets a very high bar for others to aspire to in future."
Hunt (also a victim of this breach!) elaborates on his own blog. “This was a dark moment for Disqus and there's no sugar-coating the fact that somehow, somewhere, someone on their end screwed up and they lost control of customer data,” he writes. “But look at the public sentiment after their disclosure; because of the way Disqus handled the situation, it's resoundingly positive. Compare that to Equifax.”
SFist (and the broader Gothamist blog family) switched to the Disqus commenting platform back in 2010, a time when "My cousin made $12,000 in a month!" spam comments were common across the blogosphere so publishers had to do something. The only SFist commenter data exposed in this breach would be from those of us who commented on this site between 2010 and 2012. We know who we are. And if we haven’t yet, we ought to establish different passwords for every site we use, and consider password managers like 1Password or LastPass. (Whose basic version is free!)
It is times like these when tech people admonish us non-tech people that we are misusing their terminology in this case, the argument that this was a “breach” and not a “hack.”; Disqus’ announcement takes great pains to not use the word “hack,” and the difference between the two is essentially defined as the unintentional loss of data versus the malicious intent to steal or do damage with that data. To someone whose username, email, and password are exposed, I’m not sure there’s much distinction if the information is flying around on the internet. The damage is done.
And there may be a whole lot more damage to come. As Troy Hunt notes on his blog, “I still have multiple other data breaches from the same set that Disqus came in and totalling tens of millions of records. I'm quite sure the companies involved don't know they were breached and nor do their customers.”