Disqus, Forrester Research suffer data breach

Popular blog comment hosting service Disqus and market research company Forrester Research announced late on Friday that they’ve suffered a breach.

While the latter was apparently limited to content made available to Forrester clients through Forrester.com, the former resulted in the theft of account data for some 17.5 million users.

Disqus breach

The Forrester incident

“There is no evidence that confidential client data, financial information, or confidential employee data was accessed or exposed as part of the incident. Preliminary forensic evidence suggests that the hacker was ultimately detected and shut out of the system; remediation steps were taken,” the company shared, but added that they continue to investigate the incident.

“We recognize that hackers will attack attractive targets — in this case, our research IP. We also understand there is a tradeoff between making it easy for our clients to access our research and security measures,” noted George F. Colony, chairman and chief executive officer of Forrester. “We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cybersecurity risk.”

Steven Peltzman, Forrester’s Chief Business Technology Officer, noted that the hacker managed to access and steal research reports made available to their clients by stealing valid Forrester.com user credentials.

He also shared that the incident triggered their system protocols and processes, allowing them to respond across their firm, and that it did not result in any work disruption.

The Disqus breach

Disqus was notified about the possibility of a breach by independent security researcher Troy Hunt, who obtained a copy of user account information that was apparently stolen from the company.

They received the data on Thursday, October 5, began to analyze it and confirmed that it was a snapshot of their user database from 2012 (with some of the information dating back to 2007). Less than 24 hours later, they began notifying users about the compromise.

The stolen data contains email addresses, Disqus user names, sign-up dates, and last login dates in plain text for some 17.5 million users. It also contains hashed passwords (SHA1+salt) for about a third of the users – the rest apparently logged in via social providers, so the database contained only references to those accounts instead of passwords.

Disqus founder Jason Yan said that it is possible, though unlikely, that the exposed hashed passwords have been decrypted, so they have forced a password reset on those users whose passwords were in the stolen database.

“We recommend that all users change passwords on other services if they are shared,” he noted, and warned that affected users “may receive spam or unwanted emails” since the stolen email addresses were stored in plain text.

“We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts,” he shared. “Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”

The investigation into the breach continues.

Hunt has included the data in his Have I Been Pwned? service.