back to article It's 4PM on Friday, almost time to log off and, oh look, Disqus says it's been hacked

Disqus, the developer of website comment systems used worldwide, is playing the old "bury bad news late on a Friday" card – as it just confessed one of its databases was swiped by hackers. The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a …

  1. Anonymous Coward
    Anonymous Coward

    If at least they blocked those morons who keep posting "GOOGLE IS PAYING ME THOUSAND OF DOLLARS" in every damn thread in every damn site that uses Disqus....

  2. inmypjs Silver badge

    Why would..

    anyone give Disqus an email address they cared about or any valid information for that matter?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why would..

      That was my thought. 2012 - five years ago? Not using that email anymore - security by moving target.

    2. yoganmahew

      Re: Why would..

      Disqus keep a five year old database contacts copy? How many more DB copies do they have floating around? Do they know where they all are? Are they secured? Are there earlier copies that are less secure? (Including CC details, for example).

      1. macjules

        Re: Why would..

        1) Realise that someone seems to have 'left' a copy of your 2007-2012 user database 'lying around' as if it was an old copy of Yellow Pages.

        2) Inform your PR department

        3) Wait until everyone has gone to the pub on a Friday afternoon and then release the press release

        4) Laugh at the morons who then discuss the breach in the comments.. on Disqus

        5) Realise that the 18m users were most likely Daily Telegraph commentards from that period and not worry too much.

        1. paulf

          Re: Why would..

          @macjules "5) Realise that the 18m users were most likely Daily Telegraph commentards from that period and not worry too much."

          I'm certain the Telegraph doesn't have 18m users/readers (At least I'm hopeful they don't!)

      2. Anonymous Coward
        Anonymous Coward

        Re: Why would..

        "Disqus keep a five year old database contacts copy?"

        Six years or so is normal for long term archive backups in most companies.

        1. John Brown (no body) Silver badge

          Re: Why would..

          "Six years or so is normal for long term archive backups in most companies."

          Yeah. On tape. In a cupboard. Possibly in a dark cellar. Maybe even with a "Beware of the Leopard" sign. But not on line where it can be accessed.

  3. Barry Rueger

    No loss

    I abandoned Disqus (Disqis? Disquas? Never can remember how they spell it) ages ago when every attempt to comment seemed to involve multiple login and authentication hoops that needed to be jumped through.

    Maybe it improved, but I just couldn't be bothered.

    1. Blotto Silver badge
      Paris Hilton

      Re: No loss

      @barry

      Their name is in the title of the article

      It’s really not difficult to scroll up a little and see how they spell it.

    2. Anonymous Coward
      Anonymous Coward

      Re: No loss

      It must be greatly improved since 2012. I didn't know about it till a couple years ago and find it relatively easy to use. Generally speaking, when I see the little Disqus logo on a site's comment section, I think I will have fewer issues than if I try to use the site's own comment system. I tend to wish more sites used it.

      1. Anonymous Coward
        Anonymous Coward

        Re: No loss

        Agreed, and it’s way bettter than this crap commenting system on el reg.

        1. Pascal Monett Silver badge

          Maybe, but El Reg has yet to have its user list hacked.

          1. John Brown (no body) Silver badge
            Facepalm

            "Maybe, but El Reg has yet to have its user list hacked."

            Shhhhhhhh!!!!!.....Don't say that our loud!!!

          2. Anonymous Coward
            Anonymous Coward

            I can’t find a link to the information just now, but did The Register not have the email addresses of people who had signed up to their newsletters snarfled and spammed a few years ago?

            At least The Register was quick to acknowledge the problem and to sincerely apologise for it.

            (It just goes to show that good security practice does require a lot of care and attention, however.)

          3. veti Silver badge

            Maybe, but El Reg has yet to have its user list hacked.

            As far as we know.

            How long do you think it would take them to notice, if it happened? And how long after that to inform us?

            I think Disqus comes out of this story pretty well, by notifying promptly. OK, on a Friday, but guess what? - the weekend is actually a pretty good time for most of us to deal with these things. Disqus is unlikely to be a mission-critical work account for most people.

            1. John Brown (no body) Silver badge

              "How long do you think it would take them to notice, if it happened? And how long after that to inform us?"

              I would guess that a much higher than average number of EL Reg commentards will be using a site specific email address. so I'd expect commentards to spot an incident pretty quickly.

      2. Doctor Syntax Silver badge

        Re: No loss

        Generally speaking, when I see the little Disqus logo on a site's comment section, I think I will have fewer issues than if I try to use the site's own comment system to enable Javascript.

        FTFY

        And no, I won't.

        1. Ken Moorhouse Silver badge
          Thumb Up

          Re: to enable Javascript.

          My turn to say "Nice one Doc".

        2. ElReg!comments!Pierre

          Re: No loss (Enable JS)

          Yeah, it's a pity too, as it is used by some places I like. But I will only consider enabling JS for things that are both absolutely job-critical and reasonnably safe, and both conditions exclude anything using disqus.

        3. Anonymous Coward
          Anonymous Coward

          Re: No loss

          I think I have to enable Javascript

          Or unblock the site in Ghostery and uBlock - and like you, I won't. They can have the password and username - 2012 is about 10 cycles of renewal away from what it is now (I do a half annual refresh of almost everything, including the temp email accounts set up for "public" services - El Reg is about the only setup that has a permanent email address used).

      3. inmypjs Silver badge

        Re: No loss

        " I tend to wish more sites used it."

        So disqus can track you across every site that uses disqus and what you say (if anything) on all of them?

        I tend to wish no sites used it. It sucks dick but so many places are too cheap/lazy to implement their own comments system.

        1. tiggity Silver badge

          Re: No loss

          Indeed, slurpy, slurpy and as Doc Syntax said - JS needed.

          If it uses discus then I don't comment

          (In the same way that if a site uses FB for login instead of its own then I don't log in)

          1. DropBear

            Re: No loss

            While I'm not a fan of getting followed over multiple sites by a common comment system provider, I'm _several_ orders of magnitude more bothered when a site either decides to just rely on Facebook exclusively (thereby effectively denying me access completely) or implements its own (typically way, waaaaay shittier) comment system and expects me to register and log in with them for the once-in-a-blue-moon comment - on every single one of several hundred sites I might occasionally turn up on and happen to have something to say.

    3. cd

      Re: No loss

      (Disqis? Disquas? Never can remember how they spell it)

      Disgust

    4. Anonymous Coward
      Anonymous Coward

      Re: No loss

      I gave up on it after a website using it allowed Anonymous Cowards - yes I know, but unlike el reg, they allowed the ACs to enter any name. So some troll decided to steal the login name I was using at the time to post utter nonsense. And as people couldn't tell a profile name from an Anon name, I was getting the blame for trolling.

      I tried to contact Disgus and the website in question, but no-one seemed to care, so I no longer use disgus nor the website or their associated publications.

  4. john.jones.name

    they disclosed but ?

    have not informed users and have provided no information beyond acknowledgment

    not a great start and without some good PR (of the technical type showing they actually know what they are doing) this is what they will be known for...

    I dont see investors pouring any money into them soon...

    1. Doctor Syntax Silver badge

      Re: they disclosed but ?

      "have not informed users and have provided no information beyond acknowledgment"

      From TFA: after spending the day notifying users of the hack

  5. Tim99 Silver badge

    N/A

    Haven't seen anything of theirs for years, thanks to Ad-Blockers.

  6. a_yank_lurker

    User but not really affected

    I use Disqus but a hack is more an annoyance. My Disqus password is unique as are all my passwords. I use a password manager (locally installed) to generate and track all my passwords. Plus, my passwords are long random strings of gibberish that use the entire keyboard when allowed.

    1. Anonymous Coward
      Anonymous Coward

      Re: User but not really affected

      bully for you

  7. Christian Berger

    Can't we just call it propperly?

    It's not "database thieves". There probably were no people breaking into a data centre stealing hard disks.

    It probably was them either having an SQL-Injection bug or them putting a backup somewhere where it could be found. In any case it's Disqus fault. If they insist on user logins (which is totally unnecessary for comments) they have to make sure they deal with their data responsibly. They apparently didn't, so it's their fault.

    1. HieronymusBloggs

      Re: Can't we just call it propperly?

      "If they insist on user logins (which is totally unnecessary for comments)"

      I take it you have never tried running a comment system that allowed unrestricted comments from the general public.

  8. Dr U Mour

    Discuss Disqus if you must

    But in all other respect please lets keep this a disqus free zone...(I'll pay pint money to keep it that way)

  9. Anonymous Coward
    Anonymous Coward

    I have no comment to make on Disqus.

  10. Anonymous Coward
    Anonymous Coward

    Disqus

    ted.

    Disqus

    ting

    I could be here all night!

  11. Roland6 Silver badge

    Announcement not particularly clear

    Users who created logins on Disqus had salted SHA1 hashes of passwords whilst users who logged in via social providers only had references to those accounts.

    I received Troy's email, what bothered me about the notification is that whilst the information may be technically accurate and correct, what does the above statement mean to your average user?

    1. Destroy All Monsters Silver badge

      Re: Announcement not particularly clear

      And what is a "social provider"?

      1. herman

        Re: Announcement not particularly clear

        And what is a "social provider"? - It is a personal data pimp.

        1. FlamingDeath Silver badge
          Facepalm

          Re: Announcement not particularly clear

          It's got electrolytes

      2. Robert Carnegie Silver badge

        Re: Announcement not particularly clear

        We know that Disqus lets you use an account with Facebook, Twitter, or Google to log in to Disqus. I think in fact you may or may not also have a password, because I think I got the process wrong and set my Google password as the password for Disqus too, which isn't the same thing. I've now pre-emptively changed both of them to a formula of Leters78 which I've then forgotten, but I wrote it down in my diary of secrets.

        So:

        If you log in to Disqus with a password then it may have been leaked, although protected with salted SHA1, and you have to change it.

        If you log in to Disqus using Facebook or whatever, then the leak includes your Facebook name (plain?) but not any password.

        Or it may be both. If you see what I mean.

        At https://haveibeenpwned.com/ you can input an e-mail address (plain disqus login) or user name and see where it has been leaked from, not counting what you just did :-) At the moment this may be showing all of Disqus's users and not only as of 2012, since people are claiming that they joined later and are being shown as included in this leak.

  12. tom dial Silver badge

    (In reply to inmypjs)

    It is not clear why Disqus' ability to collate postings is problem. Posts made on a publicly accessible web site would appear to be intended for public viewing (even if posted anonymously). The Register also collates all my posts (per login name), including the small number I have posted anonymously. I notice that I can access other peoples' posts, too, and suppose that they can access mine. I do not object to that; after all, they were put there for anyone visiting The Register to read (and critique) if they wished. If I cared to have two personas, maybe to post items of opposing viewpoint, The Register, and I assume Disqus, do not prevent it.

    In conjunction with my Disqus password change an hour or so ago "just in case" I found it interesting to page back and see how consistent I have been on a variety of topics. In doing so, I found only a very small number I would have changed other than correction of typographical mistakes.

    1. Anonymous Coward
      Anonymous Coward

      It is not clear why Disqus' ability to collate postings is problem. Posts made on a publicly accessible web site would appear to be intended for public viewing (even if posted anonymously).

      It's not the posting on ONE site, it's the posting ACROSS sites that makes Disqus problematic as it allows them to establish allusions to "trends" based on metrics and algorithms you have no hope on ever seeing, but those possibly unwarranted conclusions can then be sold to 3rd parties without your knowledge or control. As soon as you're personally identified (typically via your email address), you thus end up associated with a magic score that you have no control over.

      This is generally the problem with data aggregators. You don't know what they get up to with your data, and those who buy that data appears not to be too bothered with that either.

      1. inmypjs Silver badge

        "it's the posting ACROSS sites"

        And not even posting. If you keep cookies your visit and which articles you read on all sites using disqus can (and no doubt will) be tracked.

        Personally I don't keep cookies and if I used disqus more I would set up multiple accounts. I will also likely soon ditch and replace my current account. I am happy for people to judge what I say not the handle used to say it.

  13. Samizdata
    FAIL

    Notifications? Really?

    Lies, foul lies. They certainly haven't notified me. The only thing I have heard on the whole thing was from the sainted Mr. Hunt. Sadly, at this point, I am almost regretting signing up for Mr. Hunt's notification service. No worries though. I use unique passwords across the board.

  14. ecofeco Silver badge

    A hack a day

    Takes the profits away.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like