Blog comment service provider Disqus was hacked back in 2012, exposing 17.5 million user email addresses, the firm admitted on Friday.
The breached information also included Disqus user names, sign-up dates and last login dates in plain text, as well as passwords hashed and salted with the crackable SHA1 algorithm for about one-third of users.
The data theft appears to have occurred back in July 2012, with some of the information in the targeted database dating back as far as 2007, according to a blog post from the firm.
Disqus is in the process of notifying those affected and forcing a password reset as a precaution.
“Right now there isn’t any evidence of unauthorized logins occurring in relation to this. No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared,” it said.
“Email addresses are in plain text here, so it’s possible that affected users may receive spam or unwanted emails.”
It’s unclear how the hackers managed to infiltrate the organization, but failing for over five years to realize the data had been compromised once again highlights the lack of visibility many firms have into network activity.
That said, security expert Troy Hunt, who was the first to inform Disqus of the breach last week, said its handling of the incident since has been “exemplary”, a point not lost on many online commentators.
“This was a dark moment for Disqus and there's no sugar-coating the fact that somehow, somewhere, someone on their end screwed up and they lost control of customer data,” he argued.
“But look at the public sentiment after their disclosure; because of the way Disqus handled the situation, it's resoundingly positive.”
In addition, the firm explained that it had switched from SHA-1 to the more secure bcrypt algorithm.