Half a decade late, blog comment company Disqus has reportedly admitted a data breach that saw email addresses and passwords stolen from 17.5 million users.
Disqus, a global company that provides websites like blogs with an extension so users can leave comments on posts, was hit by hackers. The hackers reportedly managed to steal information dated back to 2007, which included usernames with associated email addresses, sign-up dates, lost login dates and hashed passwords.
Breach disclosure delay
The major delay in disclosing the data breach apparently lies in the company’s lack of security alerting systems to notify managers in the event of a breach. They reportedly didn’t know about the breach until owner of HaveIBeenPwned.com, Troy Hunt, received a copy of the site’s confidential information and alerted Disqus about the breach
According to Disqus, as soon as they were told about the breach, they wasted no time in disclosing the breach to the authorities and started contacting users and pushed affected account holders to reset their passwords; all within 24 hours. But this, swift response, post-realisation of the breach, is of course dwarfed by the five-year period the breach was hidden from the company…
Has the damage already been done?
At the time of the breach, the service was used by Engadget, a gaming and entertainment online magazine where editors would publish blogs on recent developments and reviews of gadgets and services, like iPhones and gaming consoles.
During the five years between the breach occurring and Disqus being told about it, cybercriminals may have already utilised stolen data for criminal activity, including using the username, email and password combo to try and unlock other accounts where goods and services could be purchased.
Although passwords were at least hashed, the SHA1 form of cyber protection may have been decrypted by cyber hackers. Disqus’ lack of cybersecurity to prevent a breach and also to detect unauthorised access and use of their data will likely have violated data protection laws.
The Data Protection Act and its Principles imposes obligations on all organisations to ensure any personal and private information held is safe and secure.