Earlier today, on a late Friday evening, Disqus confirmed a data breach that appears to have taken place in the summer of 2012, and during which an unknown attacker(s) made off with details for at least 17.5 million user accounts.
The company found out about the breach from Aussie security researcher Troy Hunt, who come into the possession of a copy of the stolen data and informed Disqus yesterday afternoon.
According to one of Hunt's tweets, it took Disqus 23 hours and 42 minutes to investigate the data and confirm the breach.
Disqus, the web's larger provider of hosted commenting systems, has already started notifying users included in the data provided by Hunt.
According to the company, hackers stole email addresses, Disqus usernames, sign-up dates, and last login dates in plain text. SHA-1 hashed passwords were only included for about a third of the 17.5 million details.
Disqus says the last entry in the exposed data is from July 2012, a good indicator of when the security breach took place.
This means hackers made off with details for Disqus users who signed up between 2007, when the company was founded, and July 2012.
"Right now, we don’t believe there is any threats to a user account," Disqus said in a security alert. "Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security."
Disqus also said that at the end of 2012, it switched the password hashing algorithm from SHA1 to bcrypt.
The age of the breach and the fact that the passwords were hashed with SHA-1 protected most of the compromised accounts. Disqus said it found no evidence of unauthorized logins in relation to the breach.
Nonetheless, even if the danger is low, the company has reset passwords for all affected users. Disqus also said it is still investigating the incident. More details are likely to surface in the coming weeks.