17.5 Million Disqus Accounts Exposed

Web Services

The commenting platform Disqus on Oct. 6 acknowledged a security breach that potentially affects 17.5 million users.

Disqus Co-founder Jason Yan in an alert said the data appears to come from July 2012 and earlier but includes Disqus usernames, email addresses, sign-up dates and last login dates in plain text. About one-third also include encrypted passwords.

Yan said the company is forcing a password reset for all affected users, though he said the company hasn’t seen evidence of unauthorized logins. Because the email addresses were in plain text, affected users may get spam or otherwise unwanted emails.

Have I Been Pwned? operator and independent security researcher Troy Hunt notified the company Oct. 5 of the potential breach. Disqus verified the data and began notifying users the next day prior to its public disclosure.

“Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible. If more information surfaces we will update this post and share any updates directly to users,” Yan wrote.