Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Privacy The Internet Technology

Disqus Confirms Over 17.5 Million Email Addresses Were Stolen In 2012 Hack of Its Comments Tool (zdnet.com) 81

Disqus, a company that builds and provides a web-based comment plugin for news websites, said Friday that hackers stole more than 17.5 million email addresses in a data breach in July 2012. "About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers," reports ZDNet. From the report: Some of the exposed user information dates back to 2007. Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google. The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach. The company said in a blog post, posted less than a day after Hunt's private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach. Users whose passwords were exposed will have their passwords force-reset. The company warned users who have used their Disqus password on other sites to change the password on those accounts.
This discussion has been archived. No new comments can be posted.

Disqus Confirms Over 17.5 Million Email Addresses Were Stolen In 2012 Hack of Its Comments Tool

Comments Filter:
  • Meh. (Score:4, Informative)

    by Frosty Piss ( 770223 ) * on Friday October 06, 2017 @08:23PM (#55325279)

    I'm really not sure how much I consider an email "breach" all that big a deal. Most people use semi-disposable email anyway, and how is your email address much more secret than your street address? I suppose they could use them in a big data-mining cross-reference deal, but at this point, I'm kind of "so what".

    • Re:Meh. (Score:5, Informative)

      by JohnFen ( 1641097 ) on Friday October 06, 2017 @08:44PM (#55325371)

      It wouldn't be a big deal, except that people generally have terrible password habits. The main issue here will be people who tend to use the same password in multiple places.

      The risk is if the hashes are cracked (which is doable if someone thinks it's worth the effort). If that's done, then there will be a sizable percentage of people who use the same email address combined with the same password on other sites too. Potentially banking sites, ebay accounts, etc. Thieves know people do this, and look for it.

      Those people are at severe risk and need to know.

      • by AmiMoJo ( 196126 )

        Typically when millions of passwords are leaked with just a basic hash and no salt, 99% of them are cracked within a month.

        Publicly cracked by people looking to show up the poor security, that is. Presumably anyone with bad intentions spends a few bucks on Amazon EC2 instances so they can get to abusing them ASAP.

    • Most people use semi-disposable email anyway".

      Wait what? Where do you get this idea?

    • Most people use semi-disposable email anyway

      No they don't.

      and how is your email address much more secret than your street address?

      Because it requires money and effort to spam me at my street address, but almost none at my email address.

  • It's not "Disgus" with a G, it's "Disqus" with a Q. It's a play on "discuss".
    • No, it’s a play on ‘disgust’, as in the commenting system that keeps logging you out of your account on a site at random unexpected times. And when you find yourself logged out, generally after hitting ‘Reply’ and composing a beautiful rejoinder to some clueless moron who could benefit so by your crystalline reasoning, you find that the Disqus login pop up just flashes by, disappearing without letting you enter anything.

      The bright side is that a site that uses Disgust is at lea

      • by lucm ( 889690 )

        I had to look up Livefyre because I'm a social media retard, and I almost drowned in my gulp of mountain dew when I saw this on their website:

        Engage people with the voices they trust. Their own.

        http://www.adobe.com/ca/market... [adobe.com]

        The url itself is already a cuntpuncher, it has "marketing-cloud" and "experience-manager" in it, as well as "platform". Well played, Adobe, almost got a bullshit bingo in the address bar alone.

      • by Megane ( 129182 )
        And most recently, they have apparently removed the thread collapse widget, which was the only thing that made a comments thread with hundreds of replies readable, by collapsing sub-threads that have clearly gone off into the weeds. This also helped with the tendency for people to reply to the top post, then the top post below that, etc., clumping the reply tree to the top. Maybe that caused people to actually load comments to read the replies, because now there's no point, so less bandwidth and server load
  • by Anonymous Coward

    Freudian slip?

  • I wonder how many more upcoming breach announcements we'll have, all hoping to get away with minimal casualties because they aren't as bad as the disasters at Equifax and Yahoo.

  • by plover ( 150551 ) on Friday October 06, 2017 @08:48PM (#55325393) Homepage Journal

    "About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers,"

    Sigh. If you're going to pick a quote, pick one that states a meaningful fact. SHA-1's flaw is that it allows a pre-image attack, where an attacker can craft a duplicate message that yields the same hash value as a different message, which is very useful for forging signatures on certificates. But that flaw is utterly useless for more efficiently brute force attacking a password that was hashed with SHA-1.

    All the information I gleaned from this quote is that the author doesn't understand what he's talking about, and his writing isn't worth reading. Oh, and that my password on Disqus is still safe.

    • Yes, you're right. I totally missed that!

    • by raymorris ( 2726007 ) on Friday October 06, 2017 @11:50PM (#55325977) Journal

      You are absolutely correct for SHA-1 hashes of random data, of significant length. Passwords, however, are neither random nor long. I'll describe the attack for you and you can try it out yourself. The fact that an ordinary consumer PC can compute SHA-1 password hashes at the rate 10 billion per second is why SHA-1 is no longer appropriate for passwords. Here's how the attack is done:

      Download two large lists of passwords, any "combined list" from your favorite haxor site will do. It doesn't matter what sites the passwords are from. If you run a comparison, you'll find that given two lists of a million passwords, about half of the passwords will be on both lists - with different accounts. That is, there is about a 50/50 chance that your password is in the list because somebody else used the same password. You probably know it's not too hard to find lists totaling many millions of passwords (we don't need fresh ones). If we put together a list of 10 million passwords, most of the Disqus passwords will be on our list, because SOMEBODY used the same password (not necessarily the same person).

      So we take the first, most common password on our list of previously seen passwords and try it against each of the 17 million hashes from Disqus. Because SHA-1 is so fast, our $100 GPU can check all 17 million hashes in one millisecond. In one second, we can try the top thousand most common passwords. In 24 hours, we can test out 10 MILLION passwords that somebody, somewhere, has used before, and thereby crack perhaps 8 million of the Disqus passwords - which gives us the email addresses to match those passwords.

      For passwords, therefore, you need a hash that can't be easily computed at the rate of billions per second with commodity hardware. Bcrypt and scrypt are appropriate choices. To avoid certain problems with particularly long or particularly short passwords, you first take a SHA-2 hash of the password, then scrypt it.*

      * In the general case of random data, hashing a hash doesn't add security. Passwords, however are not the general case.

      • by lucm ( 889690 )

        first take a SHA-2 hash of the password, then scrypt it.*

        * In the general case of random data, hashing a hash doesn't add security. Passwords, however are not the general case.

        Did you really have to end your main comment with a footnote reference, immediately followed by the footnote? That blatant abuse of footnotes creates a dark cloud of suspicion over your message, which is too bad because I was with you up to that point.

      • by plover ( 150551 )

        And that in no way defends the incorrect assertion of the article's author that associates SHA-1's flaws with this attack, which was the entire point I was trying to make.

        Regarding the security of the password hash database that was stolen, I was assuming a few things: that the attackers are lazy, and while they might try a rainbow table, they won't bother brute-force hashing salted passwords; and that when disqus says they used a salted hash, that they actually used a proper per-user salt algorithm, and no

  • I really don't trust these sites to do a good job... but only allowing google and twitter oauth providers is pathetic

     

    • by plover ( 150551 )

      Years ago, I used Yahoo!'s OAuth provider to sign up on lots of sites. That sure kept my accounts secure! :-/

    • The problem with oauth and the like is that they are a bit like keeping all your eggs in one basket. If the auth provider is breached, it is theoretically possible for credentials to be forged. Unlikely, but possible. It's generally better to compartmentalize, so a breach at one place won't make you vulnerable anywhere else.

      On the other hand, people really don't like doing passwords in a secure way. It is, admittedly, a real hassle. If you aren't going to do passwords securely, then you're much better off u

      • by lucm ( 889690 )

        It's also annoying if you close your Google account and those sites are tied to it.

  • Guess what service I'm glad I never bothered to sign up for.
  • Disqus is a scam.

    A while ago we had a news discussion where we found the following rules for cencorship:

    "Putin is an Idiot" is censored.
    "Trump is an Idiot" is censored.
    "Obama is an Idiot" is NOT censored.
    "Merkel is an Idiot" is NOT censored.

    So now we got curious, we edited the already posted texts by exchanging the names randomly... at first the "new" anti-Putin comments where up for a couple of minutes puplicly and then got cencored. The "new" Anti-Obama-comments on the other hand where still block

  • ...and now 5 years later they notice it? Why are companies like that still allowed to stay in business?
    • by plover ( 150551 )

      ...and now 5 years later they notice it? Why are companies like that still allowed to stay in business?

      My guess is that the evidence of the attack from 5 years ago has long since been destroyed. Disqus *never* noticed it themselves, they were only recently informed of it by Troy Hunt, who obtained a copy of the stolen database and then contacted them.

      Anyway, there isn't a law against being incompetent. There may still be consequences, however, if their clients get mad at them for this breach and abandon disqus in favor of another commenting system.

  • . . . to the latest count of over 3 billion, 240 million invasive hacks since 2012, we how are updated to OVER 3 billion 258 million!
  • Couldn't happen to a better company. The way they show posts must be one of the most fucked up ways of doing it.

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington

Working...