Disqus Data Breach (2015)

Disqus is updating its widely-used comments platform after a Swedish tabloid exposed politicians and other public figures for allegedly making highly offensive comments on right-wing websites. The Swedish daily Expressen, working with an investigative journalism group, said it uncovered the identity of hundreds of people who left offensive comments at four right-wing websites through their email addresses. It then confronted the authors of the comments, many of whom freely admitted to writing them. Later on Tuesday, Disqus said its network had not been breached and that it did not leak email addresses. The journalists appeared to have abused a feature it used for a third-party service, it said. Also on CIO.com: What CSOs should do on their first days Hiring an information security vendor? Use these best practices. Security takes center stage in 2016 Based on information from Disqus and other observers, a general picture of the journalists' method has emerged. Disqus used a third-party service called Gravatar from Automattic, the company behind the WordPress software. Users can upload an avatar, which will then appear on any Gravatar-enabled website. A Disqus API (application programming interface) fetched avatars from Gravatar using the hashed email addresses of registered users. A hash is a cryptographic representation of a value processed by an algorithm. For example, the email address "idg@idgnews.com" when processed by the MD5 algorithm appears as this hash: "0ff3eeab2b765f017a526bbddd328c3b." The journalists likely collected the nicknames of commentators from the websites, then pinged Disqus' API to see what MD5 value was returned. They could have gained access to Disqus' API by creating an account, according to Eaxbreakparty, a blog run by a self-described cryptography enthusiast.