Disqus issued an Oct. 6 breach notification, warning that data on 17.5 million users was stolen in 2012.
The commenting platform Disqus is resetting all users’ passwords after discovering a password database breach that dates from 2012. That is just one of several older breaches in which stolen data has only now surfaced, and more belated breach discoveries are in the pipeline, says one security expert.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Disqus is a commenting platform that lets websites build a database of users and track engagement. The company says its software is used by millions of publishers, comprising some 17 billion page views a month. In fact, the publisher of this site, Information Security Media Group, uses Disqus for commenting, but did not begin using the service until 2013, which is after the breach occurred.
Whoever breached Disqus obtained a snapshot of its database, circa 2012, with information on 17.5 million users going back to 2007, writes Jason Yan, the CTO and co-founder of Disqus. The breach exposed email addresses, salted password hashes, usernames, sign-up dates and last login dates.
“We sincerely apologize to all of our users who were affected by this breach,” Yan writes. “Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be and what we are doing about it.”
Troy Hunt, who runs the Have I Been Pwned data breach notification service, notified Disqus of the breach. Hunt loaded the data into his service, which sends emails to registered users when their email appears in a data breach. One ISMG reporter received a Disqus breach alert from Hunt’s service on Saturday.
Disqus breach alert from Troy Hunt’s Have I Been Pwned service.
Hunt says he received the data from a source he declined to name.
Yan at Disqus says it doesn’t not appear that the stolen data has been widely distributed or is readily available.
Hunt says Disqus “actually did a sensational job handling” the breach.
About one day after learning of the breach, Disqus had posted Yan’s blog post. Disqus is also resetting passwords for all users. Yan writes that there hasn’t been any evidence of unauthorized logins leveraging the breached data. But he recommends that users who’ve reused their Disqus password on other sites change all of them immediately.
Breach-notification timeline published by Disqus on Oct. 6.
The Disqus passwords were hashed using the SHA1 algorithm, which security experts have long warned – well before 2012 – was not a secure way to hash passwords. Hashing is the process by which a plaintext password is processed by an algorithm to generate a cryptographic representation, which is safer for service providers to store.
Disqus passwords also had “salt,” an additional security measure that makes it more difficult guess the plain text.
Modern computing power allows attackers to calculate hashes and then check if the hashes match the leaked one. Some hardware rigs, specifically configured for password cracking, can generate hashes for possible SHA1 passwords up to 8.5 billion times a second, in an attempt to generate a hash that matches, thus allowing the password cracker to recover the plaintext password that was originally hashed.
Hunt says there’s a good chance that at the least the weak passwords hashed with the SHA1 algorithm could be cracked or have already been cracked. More complicated passwords, however, might have been harder to crack.
“Salt or not salt, if you’re using MD5 or any SHA variant … then it’s basically useless,” Hunt says. “And when we say useless, we mean a large percentage will be cracked in a very short time.”
Disqus notes that it moved to the bcrypt algorithm to hash passwords in late 2012, which is what many security experts have long advocated. The bcrypt algorithm, provided it is correctly implemented, is regarded as being an extremely secure way to hash passwords, as it takes attackers much longer to generate bcrypt hashes. The aforementioned password-cracking hardware setup, for example, can only generate around 13,000 bcrypt hashes per second, compared with 8.5 billion SHA1 hashes.
Trio of Old Breaches
Disqus is not alone in seeing an old breach come to light. On Wednesday and Thursday, Hunt added several other breaches to Have I Been Pwned, including breaches of Reverb Nation, Kickstarter and Bitly. All of the companies disclosed those breaches in the first half of 2014.
Hunt says the same source who passed him the Disqus data gave him the data from these three other breaches. Hunt says the source passed him the data of concern for the safety of those sites’ users.
The Bitly breach, disclosed by the company in May 2014, encompassed 9.3 million accounts. It included compromised email addresses, encrypted passwords, API keys and OAuth tokens.
After Hunt tweeted that the Bitly data was in Have I Been Pwned, Bitly responded that the breach came as a result of a compromise of a third-party service – something it did not note in its original notification. “No current security threat; No action required,” Bitly tweeted.
RE: 3rd-party service recently shared a data compromise that affected Bitly in 2014. No current security threat; no action required. pic.twitter.com/kcHSuseAYS— Bitly (@Bitly) October 6, 2017
Kickstarter said in February 2014 that it suffered a breach affecting 5.2 million unique email addresses, usernames and salted SHA1 hashes of passwords. In September 2015, ReverbNation, which is a service for helping musicians, gave notice of a breach of 7 million accounts, including email addresses and hashed SHA1 passwords with a salt.
More Breaches Coming
Old, big breaches only now coming to light harks back to last year. That’s when data stolen from such major companies as Yahoo, LinkedIn, MySpace and Twitter started circulating on the cybercrime underground, years after the actual breaches occurred (see ‘Historical Mega Breaches’ Continue: Tumblr Hacked).
Hunt says he’s also received data from three additional breaches, comprising around 22 million records. Affected companies are being notified directly; Hunt says they will be added to Have I Been Pwned.
These old breaches, only now coming to light, are a reminder that there are so many breaches “out there which we just do not know about, that we have not heard about, and the companies that have lost it don’t know and it could have been from years ago too,” Hunt says.
Executive Editor Mathew Schwartz also contributed to this story.