Disqus, the developer of website comment systems used worldwide, just confessed one of its databases was swiped by hackers who stole more than 17.5 million email addresses in a data breach in July 2012.
About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favour of stronger password scramblers. The data also contained sign-up dates and the date of the last login.
The company said in a blog post, posted less than a day after Hunt’s private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach.
Users whose passwords were exposed will have their passwords force-reset.
The San Francisco-based service reset all user passwords, but many access Disqus using their Facebook or Google accounts. Disqus advised changing those passwords as well.
“We recommend that all users change passwords on other services if they are shared.,” Yan added. “We’ve taken action to protect the accounts that were included in the data snapshot.”
Disqus Security Alert: User Info Breach