Anyone who’s been using Disqus since 2012 should take heed of the following warning – a 2012 user database contain email addresses, Disqus usernames and hashed passwords was breached last week.
It’s important to remember that this is not all of Disqus’s user data but it does affect some 17.5 million users according to Tom’s Hardware.
At time of writing Disqus has said that it has not seen any unauthorised logins but criminals could be cracking these SHA1 hashed password as we speak. The firm’s advice is to change any passwords which were the same as the one you used for your Discord account back in 2012.
Disqus has said that email addresses were stored in plain text and users might notice an uptick in the amount of spam emails they receive.
“As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation,” said Disqus in a blog post.
Disqus added that it doesn’t believe there is any threat to user accounts at this time and has made significant enhancements to its database encryption since 2012. These improvements include using the bcrypt hashing algorithm for passwords rather than SHA1.
“Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible. If more information surfaces we will update this post and share any updates directly to users. Again, we’re sorry about this. Your trust in Disqus is important to us and we’re working hard to maintain that,” concluded the firm.