Disqus, one of the biggest companies which provide third-party web commenting facility to many popular websites has finally confirmed that the web commenting system was hacked.
On the last Friday, the company said that hackers stole more than 17.5 million email addresses during a data breach in July 2012.
Nearly one-third of these passwords are hashed using the SHA-1 algorithm which is a fine algorithm by the standards of those days but in the recent years, the SHA-1 algorithm has been deprecated in favour of stronger algorithms. The leaked data also contained the sign-up dates and the date of the last logins.
Some of the exposed user information dates back to 2007.
Many accounts do not have passwords as they have signed up using a third-party service like Facebook or Google. Information of some users dates back to 2007.
The details of the information theft are only known last week after the database was sent to Troy Hunt, who runs the popular internet service Have I Been Pwned. He then informed Disqus about the breach.
A day after the Hunt’s private disclosure, the company said in a blog post that although there is no evidence of any unauthorized logins, the affected users will be emailed about this breach.
There will be a forced reset of passwords to the accounts of users whose passwords have been exposed.
The company warned users who have used their Disqus password on other sites to change the password on those accounts.
“Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security,” said Jason Yan, chief technology officer, in the post.