
If at least they blocked those morons who keep posting "GOOGLE IS PAYING ME THOUSAND OF DOLLARS" in every damn thread in every damn site that uses Disqus....
Disqus, the developer of website comment systems used worldwide, is playing the old "bury bad news late on a Friday" card – as it just confessed one of its databases was swiped by hackers. The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a …
1) Realise that someone seems to have 'left' a copy of your 2007-2012 user database 'lying around' as if it was an old copy of Yellow Pages.
2) Inform your PR department
3) Wait until everyone has gone to the pub on a Friday afternoon and then release the press release
4) Laugh at the morons who then discuss the breach in the comments.. on Disqus
5) Realise that the 18m users were most likely Daily Telegraph commentards from that period and not worry too much.
It must be greatly improved since 2012. I didn't know about it till a couple years ago and find it relatively easy to use. Generally speaking, when I see the little Disqus logo on a site's comment section, I think I will have fewer issues than if I try to use the site's own comment system. I tend to wish more sites used it.
I can’t find a link to the information just now, but did The Register not have the email addresses of people who had signed up to their newsletters snarfled and spammed a few years ago?
At least The Register was quick to acknowledge the problem and to sincerely apologise for it.
(It just goes to show that good security practice does require a lot of care and attention, however.)
Maybe, but El Reg has yet to have its user list hacked.
As far as we know.
How long do you think it would take them to notice, if it happened? And how long after that to inform us?
I think Disqus comes out of this story pretty well, by notifying promptly. OK, on a Friday, but guess what? - the weekend is actually a pretty good time for most of us to deal with these things. Disqus is unlikely to be a mission-critical work account for most people.
I think I have to enable Javascript
Or unblock the site in Ghostery and uBlock - and like you, I won't. They can have the password and username - 2012 is about 10 cycles of renewal away from what it is now (I do a half annual refresh of almost everything, including the temp email accounts set up for "public" services - El Reg is about the only setup that has a permanent email address used).
While I'm not a fan of getting followed over multiple sites by a common comment system provider, I'm _several_ orders of magnitude more bothered when a site either decides to just rely on Facebook exclusively (thereby effectively denying me access completely) or implements its own (typically way, waaaaay shittier) comment system and expects me to register and log in with them for the once-in-a-blue-moon comment - on every single one of several hundred sites I might occasionally turn up on and happen to have something to say.
I gave up on it after a website using it allowed Anonymous Cowards - yes I know, but unlike el reg, they allowed the ACs to enter any name. So some troll decided to steal the login name I was using at the time to post utter nonsense. And as people couldn't tell a profile name from an Anon name, I was getting the blame for trolling.
I tried to contact Disgus and the website in question, but no-one seemed to care, so I no longer use disgus nor the website or their associated publications.
have not informed users and have provided no information beyond acknowledgment
not a great start and without some good PR (of the technical type showing they actually know what they are doing) this is what they will be known for...
I dont see investors pouring any money into them soon...
I use Disqus but a hack is more an annoyance. My Disqus password is unique as are all my passwords. I use a password manager (locally installed) to generate and track all my passwords. Plus, my passwords are long random strings of gibberish that use the entire keyboard when allowed.
It's not "database thieves". There probably were no people breaking into a data centre stealing hard disks.
It probably was them either having an SQL-Injection bug or them putting a backup somewhere where it could be found. In any case it's Disqus fault. If they insist on user logins (which is totally unnecessary for comments) they have to make sure they deal with their data responsibly. They apparently didn't, so it's their fault.
Users who created logins on Disqus had salted SHA1 hashes of passwords whilst users who logged in via social providers only had references to those accounts.
I received Troy's email, what bothered me about the notification is that whilst the information may be technically accurate and correct, what does the above statement mean to your average user?
We know that Disqus lets you use an account with Facebook, Twitter, or Google to log in to Disqus. I think in fact you may or may not also have a password, because I think I got the process wrong and set my Google password as the password for Disqus too, which isn't the same thing. I've now pre-emptively changed both of them to a formula of Leters78 which I've then forgotten, but I wrote it down in my diary of secrets.
So:
If you log in to Disqus with a password then it may have been leaked, although protected with salted SHA1, and you have to change it.
If you log in to Disqus using Facebook or whatever, then the leak includes your Facebook name (plain?) but not any password.
Or it may be both. If you see what I mean.
At https://haveibeenpwned.com/ you can input an e-mail address (plain disqus login) or user name and see where it has been leaked from, not counting what you just did :-) At the moment this may be showing all of Disqus's users and not only as of 2012, since people are claiming that they joined later and are being shown as included in this leak.
(In reply to inmypjs)
It is not clear why Disqus' ability to collate postings is problem. Posts made on a publicly accessible web site would appear to be intended for public viewing (even if posted anonymously). The Register also collates all my posts (per login name), including the small number I have posted anonymously. I notice that I can access other peoples' posts, too, and suppose that they can access mine. I do not object to that; after all, they were put there for anyone visiting The Register to read (and critique) if they wished. If I cared to have two personas, maybe to post items of opposing viewpoint, The Register, and I assume Disqus, do not prevent it.
In conjunction with my Disqus password change an hour or so ago "just in case" I found it interesting to page back and see how consistent I have been on a variety of topics. In doing so, I found only a very small number I would have changed other than correction of typographical mistakes.
It is not clear why Disqus' ability to collate postings is problem. Posts made on a publicly accessible web site would appear to be intended for public viewing (even if posted anonymously).
It's not the posting on ONE site, it's the posting ACROSS sites that makes Disqus problematic as it allows them to establish allusions to "trends" based on metrics and algorithms you have no hope on ever seeing, but those possibly unwarranted conclusions can then be sold to 3rd parties without your knowledge or control. As soon as you're personally identified (typically via your email address), you thus end up associated with a magic score that you have no control over.
This is generally the problem with data aggregators. You don't know what they get up to with your data, and those who buy that data appears not to be too bothered with that either.
"it's the posting ACROSS sites"
And not even posting. If you keep cookies your visit and which articles you read on all sites using disqus can (and no doubt will) be tracked.
Personally I don't keep cookies and if I used disqus more I would set up multiple accounts. I will also likely soon ditch and replace my current account. I am happy for people to judge what I say not the handle used to say it.
Lies, foul lies. They certainly haven't notified me. The only thing I have heard on the whole thing was from the sainted Mr. Hunt. Sadly, at this point, I am almost regretting signing up for Mr. Hunt's notification service. No worries though. I use unique passwords across the board.
Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.
A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.
Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.
UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.
Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.
In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].
If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.
RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.
This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.
Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.
A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.
It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.
China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.
In its announcement of the investigation, the China Cyberspace Administration (CAC) said:
Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms.
While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat.
Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident.
A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.
In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.
"Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.
In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.
Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said.
Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.
Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.
Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.
StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.
Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.
It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.
A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.
Biting the hand that feeds IT © 1998–2022