Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disqus Confirms Over 17.5 Million Email Addresses Were Stolen In 2012 Hack of Its Comments Tool (zdnet.com)

Posted by BeauHD on from the security-breach dept.

Disqus, a company that builds and provides a web-based comment plugin for news websites, said Friday that hackers stole more than 17.5 million email addresses in a data breach in July 2012. "About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers," reports ZDNet. From the report: Some of the exposed user information dates back to 2007. Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google. The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach. The company said in a blog post, posted less than a day after Hunt's private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach. Users whose passwords were exposed will have their passwords force-reset. The company warned users who have used their Disqus password on other sites to change the password on those accounts.

3 of 81 comments (clear)

  1. Meh. by Frosty+Piss · · Score: 3, Informative

    I'm really not sure how much I consider an email "breach" all that big a deal. Most people use semi-disposable email anyway, and how is your email address much more secret than your street address? I suppose they could use them in a big data-mining cross-reference deal, but at this point, I'm kind of "so what".

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Meh. by JohnFen · · Score: 4, Informative

      It wouldn't be a big deal, except that people generally have terrible password habits. The main issue here will be people who tend to use the same password in multiple places.

      The risk is if the hashes are cracked (which is doable if someone thinks it's worth the effort). If that's done, then there will be a sizable percentage of people who use the same email address combined with the same password on other sites too. Potentially banking sites, ebay accounts, etc. Thieves know people do this, and look for it.

      Those people are at severe risk and need to know.

  2. SHA-1's flaws have nothing to do with this by plover · · Score: 5, Informative

    "About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers,"

    Sigh. If you're going to pick a quote, pick one that states a meaningful fact. SHA-1's flaw is that it allows a pre-image attack, where an attacker can craft a duplicate message that yields the same hash value as a different message, which is very useful for forging signatures on certificates. But that flaw is utterly useless for more efficiently brute force attacking a password that was hashed with SHA-1.

    All the information I gleaned from this quote is that the author doesn't understand what he's talking about, and his writing isn't worth reading. Oh, and that my password on Disqus is still safe.

    --
    John