Learning from the Disqus data breach

I’m a fan of Troy Hunt’s Have I Been Pwned? (HIBP) data breach project but being contacted by it three times in a month is unnerving.

In early September, HIBP sent me news that an email address used by me was among 711m found sitting on a server used to fuel the Onliner Spambot operation.

Given Onliner’s vast size, perhaps that wasn’t surprising, but last weekend I received two more unwanted emails from HIBP, this time relating to a previously unknown breach of 17.5m users of the Disqus comment system that happened in 2012, and a disclosed incident from 2014 affecting 9m users of URL shortener Bitly.

Clearly, the Disqus breach is the most serious of these because it wasn’t previously disclosed. But before delving into this, let’s remind ourselves why HIBP emails on disclosed breaches are also important.

A company announcing a data breach it is often telling its users that the company has been infiltrated and that their account data may have been accessed (because detecting an intrusion is one thing but figuring out what’s been stolen is something else again).

So an organisation might struggle to tell users if their data has actually been stolen and, even if it can do that, it can’t tell them what happened to the data after that.

HIBP alerts inform registered users that breached data has been detected in public, which confirms that it was stolen and may now be being traded and exploited. This part of the story tends to be ignored but it’s where the actions really starts.

But what of Disqus?

Just like me, it seems to have learned about the breach from HIBP. The good news is that having been informed, Disqus disclosed it to users within hours and reset affected users’ passwords, an unusually swift response. The bare facts:

• 17.5m accounts from 2007 to July 2012 are affected
• Anyone joining Disqus after July 2012 is not affected
• One third of passwords were exposed as salted SHA-1 hashes
• There “isn’t any evidence of unauthorized logins”

(Naked Security’s sister site Sophos News used Disqus from July 2013 to April 2017, a period after the breach.)

It’s disconcerting that Disqus has only just learned of a serious data breach from a third party, more than five years after it happened.

On the other hand, it would be far worse had it known for some of this time and not told anyone (see Equifax et al), or known but not properly assessed its size (see Yahoo’s expanding revelations).

The next question is what has Disqus done since 2012 that might improve security. On that score the company says:

At the end of 2012 we changed our password hashing algorithm from SHA‑1 to bcrypt.

That’s good because while SHA-1 hashes are better than passwords stored in plain text, they aren’t nearly as good as algorithms like bcrypt or scrypt (to find out why, read Paul Ducklin’s primer on how to store your users’ passwords safely).

LinkedIn infamously used unsalted SHA-1 at the time of its massive 2012 data breach with the end result that a large percentage were subsequently reported to have been cracked.

Disqus’s hashes won’t be as vulnerable as this because there were salted, which rules out old-style rainbow table cracking, but salting offers no guarantees.

It’s intriguing that Disqus only moved to bcrypt, one of several “slow” hashing techniques that date back nearly two decades, in 2012. Why wasn’t this more secure scheme adopted in the first place? Perhaps because while its slowness is an impediment to dictionary attacks, it also adds latency to the login process. Or maybe password security just didn’t look all that important in 2007.

However, perhaps fretting about passwords and accounts misses the important fact that, even without passwords, criminals have access to 17.5m email addresses they can use to set up phishing attacks and send spam to. This seems the most likely consequence of the Disqus breach.

It’s not one I’ll be worrying about too much give that HIBP tells me my email address has already been breached on four other occasions already – my address has been out there for years.

My deeper anxiety regards the following statement by Hunt:

I still have multiple other data breaches from the same set that Disqus came in and totalling tens of millions of records.

Disqus, it seems, is not the end of it.

Sometimes it can seem as if nobody much cares about data breaches any more. I, for one, am pleased that Hunt and HIBP is not among them.