If at least they blocked those morons who keep posting "GOOGLE IS PAYING ME THOUSAND OF DOLLARS" in every damn thread in every damn site that uses Disqus....
It's 4PM on Friday, almost time to log off and, oh look, Disqus says it's been hacked
Disqus, the developer of website comment systems used worldwide, is playing the old "bury bad news late on a Friday" card – as it just confessed one of its databases was swiped by hackers. The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a …
-
-
-
Saturday 7th October 2017 15:41 GMT macjules
Re: Why would..
1) Realise that someone seems to have 'left' a copy of your 2007-2012 user database 'lying around' as if it was an old copy of Yellow Pages.
2) Inform your PR department
3) Wait until everyone has gone to the pub on a Friday afternoon and then release the press release
4) Laugh at the morons who then discuss the breach in the comments.. on Disqus
5) Realise that the 18m users were most likely Daily Telegraph commentards from that period and not worry too much.
-
-
-
Saturday 7th October 2017 01:14 GMT Anonymous Coward
Re: No loss
It must be greatly improved since 2012. I didn't know about it till a couple years ago and find it relatively easy to use. Generally speaking, when I see the little Disqus logo on a site's comment section, I think I will have fewer issues than if I try to use the site's own comment system. I tend to wish more sites used it.
-
-
-
Sunday 8th October 2017 12:25 GMT Anonymous Coward
I can’t find a link to the information just now, but did The Register not have the email addresses of people who had signed up to their newsletters snarfled and spammed a few years ago?
At least The Register was quick to acknowledge the problem and to sincerely apologise for it.
(It just goes to show that good security practice does require a lot of care and attention, however.)
-
Monday 9th October 2017 00:59 GMT veti
Maybe, but El Reg has yet to have its user list hacked.
As far as we know.
How long do you think it would take them to notice, if it happened? And how long after that to inform us?
I think Disqus comes out of this story pretty well, by notifying promptly. OK, on a Friday, but guess what? - the weekend is actually a pretty good time for most of us to deal with these things. Disqus is unlikely to be a mission-critical work account for most people.
-
-
-
Monday 9th October 2017 08:55 GMT Anonymous Coward
Re: No loss
I think I have to enable Javascript
Or unblock the site in Ghostery and uBlock - and like you, I won't. They can have the password and username - 2012 is about 10 cycles of renewal away from what it is now (I do a half annual refresh of almost everything, including the temp email accounts set up for "public" services - El Reg is about the only setup that has a permanent email address used).
-
-
-
Monday 9th October 2017 14:59 GMT DropBear
Re: No loss
While I'm not a fan of getting followed over multiple sites by a common comment system provider, I'm _several_ orders of magnitude more bothered when a site either decides to just rely on Facebook exclusively (thereby effectively denying me access completely) or implements its own (typically way, waaaaay shittier) comment system and expects me to register and log in with them for the once-in-a-blue-moon comment - on every single one of several hundred sites I might occasionally turn up on and happen to have something to say.
-
-
-
-
Monday 9th October 2017 10:14 GMT Anonymous Coward
Re: No loss
I gave up on it after a website using it allowed Anonymous Cowards - yes I know, but unlike el reg, they allowed the ACs to enter any name. So some troll decided to steal the login name I was using at the time to post utter nonsense. And as people couldn't tell a profile name from an Anon name, I was getting the blame for trolling.
I tried to contact Disgus and the website in question, but no-one seemed to care, so I no longer use disgus nor the website or their associated publications.
-
Saturday 7th October 2017 03:14 GMT john.jones.name
they disclosed but ?
have not informed users and have provided no information beyond acknowledgment
not a great start and without some good PR (of the technical type showing they actually know what they are doing) this is what they will be known for...
I dont see investors pouring any money into them soon...
-
Saturday 7th October 2017 05:32 GMT a_yank_lurker
User but not really affected
I use Disqus but a hack is more an annoyance. My Disqus password is unique as are all my passwords. I use a password manager (locally installed) to generate and track all my passwords. Plus, my passwords are long random strings of gibberish that use the entire keyboard when allowed.
-
Saturday 7th October 2017 10:03 GMT Christian Berger
Can't we just call it propperly?
It's not "database thieves". There probably were no people breaking into a data centre stealing hard disks.
It probably was them either having an SQL-Injection bug or them putting a backup somewhere where it could be found. In any case it's Disqus fault. If they insist on user logins (which is totally unnecessary for comments) they have to make sure they deal with their data responsibly. They apparently didn't, so it's their fault.
-
Saturday 7th October 2017 19:12 GMT Roland6
Announcement not particularly clear
Users who created logins on Disqus had salted SHA1 hashes of passwords whilst users who logged in via social providers only had references to those accounts.
I received Troy's email, what bothered me about the notification is that whilst the information may be technically accurate and correct, what does the above statement mean to your average user?
-
-
Monday 9th October 2017 12:34 GMT Robert Carnegie
Re: Announcement not particularly clear
We know that Disqus lets you use an account with Facebook, Twitter, or Google to log in to Disqus. I think in fact you may or may not also have a password, because I think I got the process wrong and set my Google password as the password for Disqus too, which isn't the same thing. I've now pre-emptively changed both of them to a formula of Leters78 which I've then forgotten, but I wrote it down in my diary of secrets.
So:
If you log in to Disqus with a password then it may have been leaked, although protected with salted SHA1, and you have to change it.
If you log in to Disqus using Facebook or whatever, then the leak includes your Facebook name (plain?) but not any password.
Or it may be both. If you see what I mean.
At https://haveibeenpwned.com/ you can input an e-mail address (plain disqus login) or user name and see where it has been leaked from, not counting what you just did :-) At the moment this may be showing all of Disqus's users and not only as of 2012, since people are claiming that they joined later and are being shown as included in this leak.
-
-
Monday 9th October 2017 00:41 GMT tom dial
(In reply to inmypjs)
It is not clear why Disqus' ability to collate postings is problem. Posts made on a publicly accessible web site would appear to be intended for public viewing (even if posted anonymously). The Register also collates all my posts (per login name), including the small number I have posted anonymously. I notice that I can access other peoples' posts, too, and suppose that they can access mine. I do not object to that; after all, they were put there for anyone visiting The Register to read (and critique) if they wished. If I cared to have two personas, maybe to post items of opposing viewpoint, The Register, and I assume Disqus, do not prevent it.
In conjunction with my Disqus password change an hour or so ago "just in case" I found it interesting to page back and see how consistent I have been on a variety of topics. In doing so, I found only a very small number I would have changed other than correction of typographical mistakes.
-
Monday 9th October 2017 09:01 GMT Anonymous Coward
It is not clear why Disqus' ability to collate postings is problem. Posts made on a publicly accessible web site would appear to be intended for public viewing (even if posted anonymously).
It's not the posting on ONE site, it's the posting ACROSS sites that makes Disqus problematic as it allows them to establish allusions to "trends" based on metrics and algorithms you have no hope on ever seeing, but those possibly unwarranted conclusions can then be sold to 3rd parties without your knowledge or control. As soon as you're personally identified (typically via your email address), you thus end up associated with a magic score that you have no control over.
This is generally the problem with data aggregators. You don't know what they get up to with your data, and those who buy that data appears not to be too bothered with that either.
-
Monday 9th October 2017 12:32 GMT inmypjs
"it's the posting ACROSS sites"
And not even posting. If you keep cookies your visit and which articles you read on all sites using disqus can (and no doubt will) be tracked.
Personally I don't keep cookies and if I used disqus more I would set up multiple accounts. I will also likely soon ditch and replace my current account. I am happy for people to judge what I say not the handle used to say it.
-
-
-
Monday 9th October 2017 10:52 GMT Samizdata
Notifications? Really?
Lies, foul lies. They certainly haven't notified me. The only thing I have heard on the whole thing was from the sainted Mr. Hunt. Sadly, at this point, I am almost regretting signing up for Mr. Hunt's notification service. No worries though. I use unique passwords across the board.
