Discus breached 17.5 million user accounts in 2012, then did everything right about it in 2017

This weekend, we learned that Discus — the commenting system we once used here on Boing Boing — suffered a breach in 2012 in which 17.5m user accounts (email addresses, signup names, account activity dates and some unsalted, weakly encrypted passwords) were stolen.

That part is normal enough, alas. In the wake of Equifax's world-beating, 145,500,000-account breach of sensitive financial and personal data, it hardly registers.

But there is one way in which Discus's breach is extremely noteworthy: the grace, responsibility and thoroughness of the company's response. 23 hours and 42 minutes after being informed of the breach, Discus had established the legitimacy of the breach, audited their systems to ensure that the vulnerability wasn't still live, changed the password on all affected accounts and notified users about it, written and published a thorough disclosure, and made their CEO available to answer questions.


As Have I Been Pwned's Troy Hunt (who told Discus about the breach) writes, this is a model for responsible breach response — a laudable combination that is without precedent in the increasingly fraught world of breach disclosures.

You can check whether your data was breached by Discus by searching Have I Been Pwned?.


When I look at how Disqus handled their incident, they ticked so many of the boxes:

1. It was easy to report to them (admittedly, my having an existing contact there inevitably made it easier than if I was coming out of the blue)

2. They applied urgency, more than I can honestly say I've seen any company do before under similar circumstances
They disclosed early, earlier than anyone could have reasonably expected (I normally consider 72 hours the "Gold Standard")

3. They protected impacted accounts very quickly by resetting the passwords of accounts that had them disclosed

4. They were entirely transparent; there was never a moment where I thought they were attempting to spin this in their favour at the expense of the truth

5. They provided details – the passwords were salted SHA1 hashes which is not a pretty story to tell in this day and age, but they told it truthfully regardless

6. They apologised (it was one of the first things they said); they owned this incident from the outside and didn't attempt to divert blame elsewhere


Disqus Demonstrates How to Do Breach Disclosure Right
[Troy Hunt]