Breach Notification , Data Breach , Encryption

Following Disqus Breach, Expert Discloses More Old Breaches

Data From Reverb Nation, Bitly and Kickstarter Belatedly Surfaces; More Coming
Following Disqus Breach, Expert Discloses More Old Breaches
Disqus issued an Oct. 6 breach notification, warning that data on 17.5 million users was stolen in 2012.

The commenting platform Disqus is resetting all users' passwords after discovering a password database breach that dates from 2012. That is just one of several older breaches in which stolen data has only now surfaced, and more belated breach discoveries are in the pipeline, one security expert says.

See Also: How to Scale Your Vendor Risk Management Program

Disqus is a commenting platform that enables websites to build a database of users and track engagement. The company says its software is used by millions of publishers, generating some 17 billion page views a month. In fact, the publisher of this site, Information Security Media Group, uses Disqus for commenting, but it did not begin using the service until 2013, which is after the breach occurred.

Whoever breached Disqus obtained a snapshot of its database, circa 2012, with information on 17.5 million users going back to 2007, Jason Yan, the CTO and co-founder of Disqus, writes in a blog. The breach exposed email addresses, salted password hashes, usernames, sign-up dates and last login dates.

"We sincerely apologize to all of our users who were affected by this breach," Yan writes. "Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be and what we are doing about it."

Troy Hunt, who runs the Have I Been Pwned data breach notification service, notified Disqus of the breach. Hunt loaded the data into his service, which sends emails to registered users when their email appears in a data breach. One ISMG reporter received a Disqus breach alert from Hunt's service on Saturday.

Disqus breach alert from Troy Hunt's Have I Been Pwned service.

Hunt says he received the data from a source he declined to name.

Yan at Disqus says it does not appear that the stolen data has been widely distributed or is readily available.

Breach-Notification Kudos

Hunt says Disqus "actually did a sensational job handling" the breach.

About one day after learning of the breach, Disqus had posted Yan's blog post. Disqus is also resetting passwords for all users. Yan writes that there hasn't been any evidence of unauthorized logins leveraging the breached data. But he recommends that users who've reused their Disqus password on other sites change all of them immediately.

Breach-notification timeline published by Disqus on Oct. 6.

The Disqus passwords were hashed using the SHA1 algorithm, which security experts have long warned - well before 2012 - was not a secure way to hash passwords. Hashing is the process by which a plaintext password is processed by an algorithm to generate a cryptographic representation, which is safer for service providers to store.

Disqus passwords also had "salt," an additional security measure that makes it more difficult to guess the plain text.

SHA1 Alert

Modern computing power enables attackers to calculate hashes and then check if the hashes match the leaked one. Some hardware rigs specifically configured for password cracking can generate hashes for possible SHA1 passwords up to 8.5 billion times a second in an attempt to generate a hash that matches, thus allowing the password cracker to recover the plaintext password that was originally hashed.

Hunt says there's a good chance that at the least the weak passwords hashed with the SHA1 algorithm could be cracked or have already been cracked. More complicated passwords, however, might have been harder to crack.

"Salt or not salt, if you're using MD5 or any SHA variant ... then it's basically useless," Hunt says. "And when we say useless, we mean a large percentage will be cracked in a very short time."

Disqus notes that it moved to the bcrypt algorithm to hash passwords in late 2012, which is what many security experts have long advocated. The bcrypt algorithm, provided it is correctly implemented, is regarded as being an extremely secure way to hash passwords, as it takes attackers much longer to generate bcrypt hashes. The aforementioned password-cracking hardware setup, for example, can only generate around 13,000 bcrypt hashes per second, compared with 8.5 billion SHA1 hashes.

Trio of Old Breaches

Disqus is not alone in seeing data from an old breach come to light. On Wednesday and Thursday, Hunt added several other breaches to Have I Been Pwned, including breaches of Reverb Nation, Kickstarter and Bitly. All of the companies disclosed those breaches in the first half of 2014.

Hunt says the same source who passed him the Disqus data gave him the data from these three other breaches. Hunt says the source passed him the data out of concern for the safety of those sites' users.

The Bitly breach, disclosed by the company in May 2014, encompassed 9.3 million accounts. It included compromised email addresses, encrypted passwords, API keys and OAuth tokens.

After Hunt tweeted that the Bitly data was in Have I Been Pwned, Bitly responded that the breach came as a result of a compromise of a third-party service - something it did not note in its original notification. "No current security threat; No action required," Bitly tweeted.

Kickstarter said in February 2014 that it suffered a breach affecting 5.2 million unique email addresses, usernames and salted SHA1 hashes of passwords. In September 2015, ReverbNation, which is a service for helping musicians, gave notice of a breach of 7 million accounts, including email addresses and hashed SHA1 passwords with a salt.

More Breaches Coming

Old, big breaches only now coming to light harks back to last year, when data stolen from such major companies as Yahoo, LinkedIn, MySpace and Twitter started circulating on the cybercrime underground years after the actual breaches occurred (see 'Historical Mega Breaches' Continue: Tumblr Hacked).

Hunt says he's also received data from three additional breaches, comprising around 22 million records. Affected companies are being notified directly; Hunt says they will be added to Have I Been Pwned.

These old breaches, only now coming to light, are a reminder that there are so many breaches "out there which we just do not know about, that we have not heard about, and the companies that have lost it don't know and it could have been from years ago too," Hunt says.

Executive Editor Mathew Schwartz also contributed to this story.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network