Cyber Incident Victim: Disqus

Disqus confirmed a data breach on October 6, 2017, after being alerted by Australian security researcher Troy Hunt the previous day. Hunt had obtained a copy of stolen user data and notified the company, prompting an investigation that concluded within 23 hours and 42 minutes. The breach occurred in July 2012, with the last entry in the compromised dataset dating to that month. Attackers accessed details of approximately 17.5 million user accounts created between Disqus's 2007 founding and July 2012. Exposed information included email addresses, usernames, account creation dates, and last login timestamps—all stored in plaintext. Approximately one-third of the affected accounts also contained passwords hashed using the SHA-1 algorithm. Disqus identified no evidence suggesting attackers obtained bcrypt-hashed passwords or more recent credentials, as the company had upgraded its password storage mechanisms after 2012.

The company initiated password resets for all impacted users despite assessing minimal immediate risk, citing the breach's age and hashing of exposed credentials. Disqus noted it had transitioned from SHA-1 to bcrypt for password hashing by late 2012 as part of routine security enhancements, which included database and encryption improvements. Internal investigations revealed no indications of unauthorized account access stemming from the breach. While asserting that user accounts faced no active threats, Disqus continued investigating the incident and began notifying affected individuals through security alerts. The organization emphasized its post-2012 security upgrades as mitigating factors against similar future incidents but did not disclose specifics regarding the breach's initial attack vector or the identity of the threat actors.