back to article It's 4PM on Friday, almost time to log off and, oh look, Disqus says it's been hacked

Disqus, the developer of website comment systems used worldwide, is playing the old "bury bad news late on a Friday" card – as it just confessed one of its databases was swiped by hackers. The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a …

  1. Anonymous Coward
    Anonymous Coward

    If at least they blocked those morons who keep posting "GOOGLE IS PAYING ME THOUSAND OF DOLLARS" in every damn thread in every damn site that uses Disqus....

  2. inmypjs Silver badge

    Why would..

    anyone give Disqus an email address they cared about or any valid information for that matter?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why would..

      That was my thought. 2012 - five years ago? Not using that email anymore - security by moving target.

    2. yoganmahew

      Re: Why would..

      Disqus keep a five year old database contacts copy? How many more DB copies do they have floating around? Do they know where they all are? Are they secured? Are there earlier copies that are less secure? (Including CC details, for example).

      1. macjules Silver badge

        Re: Why would..

        1) Realise that someone seems to have 'left' a copy of your 2007-2012 user database 'lying around' as if it was an old copy of Yellow Pages.

        2) Inform your PR department

        3) Wait until everyone has gone to the pub on a Friday afternoon and then release the press release

        4) Laugh at the morons who then discuss the breach in the comments.. on Disqus

        5) Realise that the 18m users were most likely Daily Telegraph commentards from that period and not worry too much.

        1. paulf

          Re: Why would..

          @macjules "5) Realise that the 18m users were most likely Daily Telegraph commentards from that period and not worry too much."

          I'm certain the Telegraph doesn't have 18m users/readers (At least I'm hopeful they don't!)

      2. Anonymous Coward
        Anonymous Coward

        Re: Why would..

        "Disqus keep a five year old database contacts copy?"

        Six years or so is normal for long term archive backups in most companies.

        1. John Brown (no body) Silver badge

          Re: Why would..

          "Six years or so is normal for long term archive backups in most companies."

          Yeah. On tape. In a cupboard. Possibly in a dark cellar. Maybe even with a "Beware of the Leopard" sign. But not on line where it can be accessed.

  3. Barry Rueger

    No loss

    I abandoned Disqus (Disqis? Disquas? Never can remember how they spell it) ages ago when every attempt to comment seemed to involve multiple login and authentication hoops that needed to be jumped through.

    Maybe it improved, but I just couldn't be bothered.

    1. Blotto Silver badge
      Paris Hilton

      Re: No loss


      Their name is in the title of the article

      It’s really not difficult to scroll up a little and see how they spell it.

    2. Anonymous Coward
      Anonymous Coward

      Re: No loss

      It must be greatly improved since 2012. I didn't know about it till a couple years ago and find it relatively easy to use. Generally speaking, when I see the little Disqus logo on a site's comment section, I think I will have fewer issues than if I try to use the site's own comment system. I tend to wish more sites used it.

      1. Anonymous Coward
        Anonymous Coward

        Re: No loss

        Agreed, and it’s way bettter than this crap commenting system on el reg.

        1. Pascal Monett Silver badge

          Maybe, but El Reg has yet to have its user list hacked.

          1. John Brown (no body) Silver badge

            "Maybe, but El Reg has yet to have its user list hacked."

            Shhhhhhhh!!!!!.....Don't say that our loud!!!

          2. Anonymous Coward
            Anonymous Coward

            I can’t find a link to the information just now, but did The Register not have the email addresses of people who had signed up to their newsletters snarfled and spammed a few years ago?

            At least The Register was quick to acknowledge the problem and to sincerely apologise for it.

            (It just goes to show that good security practice does require a lot of care and attention, however.)

          3. veti Silver badge

            Maybe, but El Reg has yet to have its user list hacked.

            As far as we know.

            How long do you think it would take them to notice, if it happened? And how long after that to inform us?

            I think Disqus comes out of this story pretty well, by notifying promptly. OK, on a Friday, but guess what? - the weekend is actually a pretty good time for most of us to deal with these things. Disqus is unlikely to be a mission-critical work account for most people.

            1. John Brown (no body) Silver badge

              "How long do you think it would take them to notice, if it happened? And how long after that to inform us?"

              I would guess that a much higher than average number of EL Reg commentards will be using a site specific email address. so I'd expect commentards to spot an incident pretty quickly.

      2. Doctor Syntax Silver badge

        Re: No loss

        Generally speaking, when I see the little Disqus logo on a site's comment section, I think I will have fewer issues than if I try to use the site's own comment system to enable Javascript.


        And no, I won't.

        1. Ken Moorhouse Silver badge
          Thumb Up

          Re: to enable Javascript.

          My turn to say "Nice one Doc".

        2. ElReg!comments!Pierre

          Re: No loss (Enable JS)

          Yeah, it's a pity too, as it is used by some places I like. But I will only consider enabling JS for things that are both absolutely job-critical and reasonnably safe, and both conditions exclude anything using disqus.

        3. Anonymous Coward
          Anonymous Coward

          Re: No loss

          I think I have to enable Javascript

          Or unblock the site in Ghostery and uBlock - and like you, I won't. They can have the password and username - 2012 is about 10 cycles of renewal away from what it is now (I do a half annual refresh of almost everything, including the temp email accounts set up for "public" services - El Reg is about the only setup that has a permanent email address used).

      3. inmypjs Silver badge

        Re: No loss

        " I tend to wish more sites used it."

        So disqus can track you across every site that uses disqus and what you say (if anything) on all of them?

        I tend to wish no sites used it. It sucks dick but so many places are too cheap/lazy to implement their own comments system.

        1. tiggity Silver badge

          Re: No loss

          Indeed, slurpy, slurpy and as Doc Syntax said - JS needed.

          If it uses discus then I don't comment

          (In the same way that if a site uses FB for login instead of its own then I don't log in)

          1. DropBear

            Re: No loss

            While I'm not a fan of getting followed over multiple sites by a common comment system provider, I'm _several_ orders of magnitude more bothered when a site either decides to just rely on Facebook exclusively (thereby effectively denying me access completely) or implements its own (typically way, waaaaay shittier) comment system and expects me to register and log in with them for the once-in-a-blue-moon comment - on every single one of several hundred sites I might occasionally turn up on and happen to have something to say.

    3. cd

      Re: No loss

      (Disqis? Disquas? Never can remember how they spell it)


    4. Anonymous Coward
      Anonymous Coward

      Re: No loss

      I gave up on it after a website using it allowed Anonymous Cowards - yes I know, but unlike el reg, they allowed the ACs to enter any name. So some troll decided to steal the login name I was using at the time to post utter nonsense. And as people couldn't tell a profile name from an Anon name, I was getting the blame for trolling.

      I tried to contact Disgus and the website in question, but no-one seemed to care, so I no longer use disgus nor the website or their associated publications.


    they disclosed but ?

    have not informed users and have provided no information beyond acknowledgment

    not a great start and without some good PR (of the technical type showing they actually know what they are doing) this is what they will be known for...

    I dont see investors pouring any money into them soon...

    1. Doctor Syntax Silver badge

      Re: they disclosed but ?

      "have not informed users and have provided no information beyond acknowledgment"

      From TFA: after spending the day notifying users of the hack

  5. Tim99 Silver badge


    Haven't seen anything of theirs for years, thanks to Ad-Blockers.

  6. a_yank_lurker Silver badge

    User but not really affected

    I use Disqus but a hack is more an annoyance. My Disqus password is unique as are all my passwords. I use a password manager (locally installed) to generate and track all my passwords. Plus, my passwords are long random strings of gibberish that use the entire keyboard when allowed.

    1. Anonymous Coward
      Anonymous Coward

      Re: User but not really affected

      bully for you

  7. Christian Berger

    Can't we just call it propperly?

    It's not "database thieves". There probably were no people breaking into a data centre stealing hard disks.

    It probably was them either having an SQL-Injection bug or them putting a backup somewhere where it could be found. In any case it's Disqus fault. If they insist on user logins (which is totally unnecessary for comments) they have to make sure they deal with their data responsibly. They apparently didn't, so it's their fault.

    1. HieronymusBloggs

      Re: Can't we just call it propperly?

      "If they insist on user logins (which is totally unnecessary for comments)"

      I take it you have never tried running a comment system that allowed unrestricted comments from the general public.

  8. Dr U Mour

    Discuss Disqus if you must

    But in all other respect please lets keep this a disqus free zone...(I'll pay pint money to keep it that way)

  9. Anonymous Coward
    Anonymous Coward

    I have no comment to make on Disqus.

  10. Anonymous Coward
    Anonymous Coward





    I could be here all night!

  11. Roland6 Silver badge

    Announcement not particularly clear

    Users who created logins on Disqus had salted SHA1 hashes of passwords whilst users who logged in via social providers only had references to those accounts.

    I received Troy's email, what bothered me about the notification is that whilst the information may be technically accurate and correct, what does the above statement mean to your average user?

    1. Destroy All Monsters Silver badge

      Re: Announcement not particularly clear

      And what is a "social provider"?

      1. herman Silver badge

        Re: Announcement not particularly clear

        And what is a "social provider"? - It is a personal data pimp.

        1. FlamingDeath Silver badge

          Re: Announcement not particularly clear

          It's got electrolytes

      2. Robert Carnegie Silver badge

        Re: Announcement not particularly clear

        We know that Disqus lets you use an account with Facebook, Twitter, or Google to log in to Disqus. I think in fact you may or may not also have a password, because I think I got the process wrong and set my Google password as the password for Disqus too, which isn't the same thing. I've now pre-emptively changed both of them to a formula of Leters78 which I've then forgotten, but I wrote it down in my diary of secrets.


        If you log in to Disqus with a password then it may have been leaked, although protected with salted SHA1, and you have to change it.

        If you log in to Disqus using Facebook or whatever, then the leak includes your Facebook name (plain?) but not any password.

        Or it may be both. If you see what I mean.

        At you can input an e-mail address (plain disqus login) or user name and see where it has been leaked from, not counting what you just did :-) At the moment this may be showing all of Disqus's users and not only as of 2012, since people are claiming that they joined later and are being shown as included in this leak.

  12. tom dial Silver badge

    (In reply to inmypjs)

    It is not clear why Disqus' ability to collate postings is problem. Posts made on a publicly accessible web site would appear to be intended for public viewing (even if posted anonymously). The Register also collates all my posts (per login name), including the small number I have posted anonymously. I notice that I can access other peoples' posts, too, and suppose that they can access mine. I do not object to that; after all, they were put there for anyone visiting The Register to read (and critique) if they wished. If I cared to have two personas, maybe to post items of opposing viewpoint, The Register, and I assume Disqus, do not prevent it.

    In conjunction with my Disqus password change an hour or so ago "just in case" I found it interesting to page back and see how consistent I have been on a variety of topics. In doing so, I found only a very small number I would have changed other than correction of typographical mistakes.

    1. Anonymous Coward
      Anonymous Coward

      It is not clear why Disqus' ability to collate postings is problem. Posts made on a publicly accessible web site would appear to be intended for public viewing (even if posted anonymously).

      It's not the posting on ONE site, it's the posting ACROSS sites that makes Disqus problematic as it allows them to establish allusions to "trends" based on metrics and algorithms you have no hope on ever seeing, but those possibly unwarranted conclusions can then be sold to 3rd parties without your knowledge or control. As soon as you're personally identified (typically via your email address), you thus end up associated with a magic score that you have no control over.

      This is generally the problem with data aggregators. You don't know what they get up to with your data, and those who buy that data appears not to be too bothered with that either.

      1. inmypjs Silver badge

        "it's the posting ACROSS sites"

        And not even posting. If you keep cookies your visit and which articles you read on all sites using disqus can (and no doubt will) be tracked.

        Personally I don't keep cookies and if I used disqus more I would set up multiple accounts. I will also likely soon ditch and replace my current account. I am happy for people to judge what I say not the handle used to say it.

  13. Samizdata

    Notifications? Really?

    Lies, foul lies. They certainly haven't notified me. The only thing I have heard on the whole thing was from the sainted Mr. Hunt. Sadly, at this point, I am almost regretting signing up for Mr. Hunt's notification service. No worries though. I use unique passwords across the board.

  14. ecofeco Silver badge

    A hack a day

    Takes the profits away.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Telegram adds paid tier as it cracks 700 million users
    Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

    Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

    A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

    Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data
    Relative cybercrime newbies not clear on whether they're alleging to have gigabits or gigabytes of chip biz files

    If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

    RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.

    This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading

Biting the hand that feeds IT © 1998–2022