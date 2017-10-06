Disqus Confirms Over 17.5 Million Email Addresses Were Stolen In 2012 Hack of Its Comments Tool (zdnet.com) 25
Disqus, a company that builds and provides a web-based comment plugin for news websites, said Friday that hackers stole more than 17.5 million email addresses in a data breach in July 2012. "About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers," reports ZDNet. From the report: Some of the exposed user information dates back to 2007. Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google. The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach. The company said in a blog post, posted less than a day after Hunt's private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach. Users whose passwords were exposed will have their passwords force-reset. The company warned users who have used their Disqus password on other sites to change the password on those accounts.
Meh. (Score:3)
I'm really not sure how much I consider an email "breach" all that big a deal. Most people use semi-disposable email anyway, and how is your email address much more secret than your street address? I suppose they could use them in a big data-mining cross-reference deal, but at this point, I'm kind of "so what".
Re: (Score:2)
It wouldn't be a big deal, except that people generally have terrible password habits. The main issue here will be people who tend to use the same password in multiple places.
The risk is if the hashes are cracked (which is doable if someone thinks it's worth the effort). If that's done, then there will be a sizable percentage of people who use the same email address combined with the same password on other sites too. Potentially banking sites, ebay accounts, etc. Thieves know people do this, and look for it
Disgus? (Score:2)
Disqusting. (Score:1)
I wonder how many more upcoming breach announcements we'll have, all hoping to get away with minimal casualties because they aren't as bad as the disasters at Equifax and Yahoo.
Re: (Score:2)
He is right though. If you can get yourself to trust HaveIBeenPwned.com (and it's a pretty well-known security site), then you get free reports of all major password leaks from all other sites, even itself if that ever happens. If you can't trust it, then you you implicitly trust *all* the other sites you sign up for to not get hacked, or to reliably notify you when they do. Now which is easier: to trust one site, or to trust all of them minus the first one?
Re: (Score:2)
Yep. I use the notifications from that site to remind me when it's time to change all my important passwords.
Re: Have I Been Pwned Website (Score:2)
Every single email that I checked shows to have been compromised. Sigh.....
this is my email address. there are many like it, (Score:2)
SHA-1's flaws have nothing to do with this (Score:4, Informative)
"About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers,"
Sigh. If you're going to pick a quote, pick one that states a meaningful fact. SHA-1's flaw is that it allows a pre-image attack, where an attacker can craft a duplicate message that yields the same hash value as a different message, which is very useful for forging signatures on certificates. But that flaw is utterly useless for more efficiently brute force attacking a password that was hashed with SHA-1.
All the information I gleaned from this quote is that the author doesn't understand what he's talking about, and his writing isn't worth reading. Oh, and that my password on Disqus is still safe.
Re: (Score:2)
Yes, you're right. I totally missed that!
websites need to allow logins other than goog/twtr (Score:2)
I really don't trust these sites to do a good job... but only allowing google and twitter oauth providers is pathetic
Re: (Score:2)
Years ago, I used Yahoo!'s OAuth provider to sign up on lots of sites. That sure kept my accounts secure!
:-/
Re: (Score:2)
The problem with oauth and the like is that they are a bit like keeping all your eggs in one basket. If the auth provider is breached, it is theoretically possible for credentials to be forged. Unlikely, but possible. It's generally better to compartmentalize, so a breach at one place won't make you vulnerable anywhere else.
On the other hand, people really don't like doing passwords in a secure way. It is, admittedly, a real hassle. If you aren't going to do passwords securely, then you're much better off u