Online discussion platform Disqus had a data breach in 2012

A snapshot of the database of discussion platform Disqus has surfaced on the internet. Hackers stole the data in 2012. One-third of the approximately 18 million accounts involved include the password hashed with sha-1.

Disqus announced the data breach on Friday afternoon. The database also contains e-mail addresses, usernames and, in plaintext, the dates on which the users were registered and last logged in. The oldest data in the snapshot is from 2007. Affected users have been given an automatic, mandatory password reset from Disqus. The platform states that it has not observed any unauthorized login attempts.

Disqus was notified by Troy Hunt, administrator of HaveIBeenPwned.com, who processed the data in its service and notified members through that channel as well. The security expert also stated to ZDnet that 71 percent of the e-mail addresses leaked at Disqus could already be found in Hunt’s database. Disqus tells the tech site that it concerns less than ten percent of the total number of accounts that the service has.

Anyone whose account with Disqus is affected must change their password there. In the event that the same password is used elsewhere, which is not recommended, users should also change their password there. In addition, it is also strongly inadvisable to use a password that is five years old. The sha-1 algorithm of the leaked passwords was also cracked earlier this year and is hardly used anymore.