Disqus, the developer of website comment systems used worldwide, is playing the old “bury bad news late on a Friday” card – as it just confessed one of its databases was swiped by hackers.
The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a network intruder was able to grab a copy of a database snapshot from 2012 – which contained nearly 18 million account records, from email addresses to, in about a third of them, SHA1-hashed passwords.
如何做好机密防外泄和信息公开的平衡,智者见智,仁者见仁,您的公司是如何做的呢?有进行密级划分和等级保护吧?
“While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed,” Disqus founder Jason Yan said today.
“The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5m users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.”
4pm PT on a Friday, and… DING DING we have a bury-bad-news winner: It’s Disqus. Which was hacked https://t.co/oPAOF13MSo pic.twitter.com/qcHcG2XdTL
— The Register (@TheRegister) October 6, 2017

According to Yan, the security breach was only discovered Thursday at 4.18pm PT, when Australian Microsoft manager and HaveIBeenPwned overlord Troy Hunt spotted the lifted data in the wild. Within an hour, Yan said, the Disqus team had analyzed and verified the data as authentic.
Now, San Francisco-based Disqus said, after spending the day notifying users of the hack, it went public with the finding in the interest of prompt disclosure and definitely not as an effort to minimize coverage of the issue.
Yan said his biz has reset the passwords for all Disqus accounts exposed to the database thieves, and is advising users to do the same for any other accounts that shared the same password. Disqus noted that since 2012 it has not stored any of its passwords hashed with SHA1, opting instead for the more secure bcrypt.
“Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible,” Yan said.
“If more information surfaces we will update this post and share any updates directly to users.”
Hopefully those updates come a bit earlier in the day. ®
深圳专员办:五措施抓实内控制度建设
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
信用卡数据安全应该遵循全球标准,特别是在无卡支付的互联网,国内银联特有的密码保护机制失效,保护信用卡信息机密性的主要责任在持卡人,发卡行及持卡人要注意密切检查帐户信息。

猜您喜欢

企业安全歌,唱红中国,唱响全球
人人需知的互联网金融信息安全基础
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识
韦德20+5罗斯半场15分 骑士遭20分逆转负步行者
NEXABD MULLENSBARGRILL
防范基于云计算的攻击