Disqus, the developer of website comment systems used worldwide, is playing the old "bury bad news late on a Friday" card – as it just confessed one of its databases was swiped by hackers.
The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a network intruder was able to grab a copy of a database snapshot from 2012 – which contained nearly 18 million account records, from email addresses to, in about a third of them, SHA1-hashed passwords.
"While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed," Disqus founder Jason Yan said today.
"The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5m users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included."
According to Yan, the security breach was only discovered Thursday at 4.18pm PT, when Australian Microsoft cheerleader and HaveIBeenPwned overlord Troy Hunt spotted the lifted data in the wild. Within an hour, Yan said, the Disqus team had analyzed and verified the data as authentic.
Now, San Francisco-based Disqus said, after spending the day notifying users of the hack, it went public with the finding in the interest of prompt disclosure and definitely not as an effort to minimize coverage of the issue.
Yan said his biz has reset the passwords for all Disqus accounts exposed to the database thieves, and is advising users to do the same for any other accounts that shared the same password. Disqus noted that since 2012 it has not stored any of its passwords hashed with SHA1, opting instead for the more secure bcrypt.
"Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible," Yan said.
"If more information surfaces we will update this post and share any updates directly to users."
Hopefully those updates come a bit earlier in the day. ®