> They provided details - the passwords were salted SHA1 hashes which is not a pretty story to tell in this day and age, but they told it truthfully regardless
The leak is from 2012, which might explain SHA1 usage. It should still have been something beter, even for that time, but still.
Anyway, I think it's pretty hilarious that we're now patting companies on the back after leaking 17.5 million user details. Not that Disqus' disclosure wasn't text book. Just that it's now so normal for companies to leak things all over the place that we actually have Best Practices for what to do when (not if ;-) that happens.
Personally, I don't register with my real name and email anymore, anywhere. It's a bit of a pain in the ass sometimes, but worth it.
As someone else said, it’s “when” not “if” when it comes to security. You could have the best defences possible, but all it takes is a vulnerability in something public facing, like a zero day (looking at you Equifax and Struts), and you’re instantly at risk.
Plus, this is ignoring the easiest option... just spear phish the employees, won’t be long before you get a catch or two.
Breaches are inevitable, it’s all about spotting them early and minimising their impact. Oh and strong hashes help :)
I don't agree. With proper design a zero day in a web-facing framework should not automatically expose a full database of sensitive user information to the internet.
The leak is from 2012, which might explain SHA1 usage. It should still have been something beter, even for that time, but still.
Anyway, I think it's pretty hilarious that we're now patting companies on the back after leaking 17.5 million user details. Not that Disqus' disclosure wasn't text book. Just that it's now so normal for companies to leak things all over the place that we actually have Best Practices for what to do when (not if ;-) that happens.
Personally, I don't register with my real name and email anymore, anywhere. It's a bit of a pain in the ass sometimes, but worth it.