Disqus has revealed that hackers stole details of more than 17.5 million users in a major data breach in July 2012. The company, which provides a web-based plugin for websites and blogs, said the compromised data includes usernames, sign-up dates and last log-in dates in plain text.
About a third of the compromised accounts contained passwords that were salted and hashed using the weak SHA-1 algorithm. Disqus said the exposed user data dates back to 2007 with the most recent data exposed from July 2012.
Security expert Troy Hunt, founder of the data breach notification website Have I Been Pwned, discovered the breach this week and informed the company of the intrusion on Thursday (5 October). Disqus said it began notifying users of the breach on Friday and reset the passwords of all affected users.
"While we are still investigating the incident, we believe that it is best to share what we know now," Disqus' chief technology officer Jason Yan said in a blog post.
"We sincerely apologise to all of our users who were affected by this breach. Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be, and what we are doing about it.
"Right now there isn't any evidence of unauthorized logins occurring in relation to this. No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely)."
As a precaution, Disqus has reset the passwords of all affected users and advised them to change their passwords on other services and platforms if they happen to share the same credentials. The company also warned users against possible spam and phishing emails since email addresses were exposed in plain text in the attack.
"At this time, we do not believe that this data is widely distributed or readily available," Yan said. "Since 2012, as part of normal security enhancements, we've made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.
"Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible... Again, we're sorry about this. Your trust in Disqus is important to us and we're working hard to maintain that."
Hunt said 71% of email addresses compromised were already in Have I Been Pwned's database.