Disqus Hacked: 17.5 Million Users Affected
Disqus, the company which provides a web-based comment plugin for websites and blogs, has admitted that it was breached 5 years ago in July 2012 and hackers stole details of more than 17.5 million users.
The stolen data includes email addresses, usernames, sign-up dates, and last login dates in plain text for all 17.5 million users.
Hackers also got their hands on passwords for about one-third of the affected users, which were salted and hashed using the weak SHA-1 algorithm.
The company said the exposed user information dates back to 2007 with the most recently exposed from July 2012.
According to Disqus, the company became aware of the breach Thursday (5th October) evening after an independent security researcher Troy Hunt, who obtained a copy of the site's information, notified the company.
Within about 24 hours, Disqus disclosed the data breach and started contacting its affected users, forcing them to reset their passwords as soon as possible.
However, since late 2012 Disqus has made other upgrades to improve its security and changed its password hashing algorithm to Bcrypt—a much stronger cryptographic algorithm which makes it difficult for hackers to obtain user's actual password.
In addition to resetting your password, you are also advised to change your passwords on other online services and platforms as well, if you share the same credentials.
It is most likely that hackers could use this stolen information in tandem with social engineering techniques to gain further information on victims. So, you are advised to beware of spam and phishing emails carrying malicious file attachments.
It is still unclear how hackers get hands-on Disqus data. San Francisco-based Disqus is still actively investigating this security incident.