Disqus confirmed a 2012 database breach on Friday impacting some data for 17.5 million users and including information dating back to 2007.
“The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users,” Jason Yan, the company’s CTO, wrote in a blog post. “Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.”
The company, which builds a commenting system for news websites, was notified on Thursday by security researcher Troy Hunt. Hunt runs the data breach notification website Have I Been Pwned.
No plain text passwords were exposed but, as a precaution, all affected users had their passwords reset and Disqus is recommending changing any related password. The company does “not believe that this data is widely distributed or readily available.”