
Disqus Demonstrates How to Do Breach Disclosure Right - Artemis2
https://www.troyhunt.com/disqus-demonstrates-how-to-do-data-breach-disclosure-right/
======
notzorbo3
> They provided details - the passwords were salted SHA1 hashes which is not a
> pretty story to tell in this day and age, but they told it truthfully
> regardless

The leak is from 2012, which might explain SHA1 usage. It should still have
been something beter, even for that time, but still.

Anyway, I think it's pretty hilarious that we're now patting companies on the
back after leaking 17.5 million user details. Not that Disqus' disclosure
wasn't text book. Just that it's now so normal for companies to leak things
all over the place that we actually have Best Practices for what to do when
(not if ;-) that happens.

Personally, I don't register with my real name and email anymore, anywhere.
It's a bit of a pain in the ass sometimes, but worth it.

~~~
graystevens
As someone else said, it’s “when” not “if” when it comes to security. You
could have the best defences possible, but all it takes is a vulnerability in
something public facing, like a zero day (looking at you Equifax and Struts),
and you’re instantly at risk.

Plus, this is ignoring the easiest option... just spear phish the employees,
won’t be long before you get a catch or two.

Breaches are inevitable, it’s all about spotting them early and minimising
their impact. Oh and strong hashes help :)

~~~
jjnoakes
I don't agree. With proper design a zero day in a web-facing framework should
not automatically expose a full database of sensitive user information to the
internet.

------
StavrosK
While we're on the subject, is there an alternative to Disqus that doesn't
load three terabytes of stuff and have all the social-engagey functionality? I
just want something that does comments.

~~~
ploggingdev
Yes, I built Hosted Comments (
[https://www.hostedcomments.com/](https://www.hostedcomments.com/) ) for the
reason you mentioned as well as privacy concerns with ads and tracking
scripts. Demo here : [https://www.ploggingdev.com/2017/08/building-a-disqus-
altern...](https://www.ploggingdev.com/2017/08/building-a-disqus-alternative-
part-1--research/#hosted_comments)

But the catch is that I don't have a free plan (yet) since I can't make any
money off of users on the free plan. If you're interested though you are
welcome to sign up and use the comments system for free. I can offer a few
fellow HNers free access as a thank you to this community. If you decide to
use the comments system, just send me an email to let me know so that I can
mark the account as being on the free plan.

~~~
geostyx
I'd love to see a $2 plan for blogs just starting out with <20k views. Right
now 90% of the views I get are my own and I haven't gotten any comments on
Disqus yet.

~~~
archildress
Seconded.

~~~
KajMagnus
Have a look here, another embedded comments alternative. I'm looking to charge
$2, + it's open source. Scroll down to the bottom,
[https://www.kajmagnus.blog/new-embedded-
comments/](https://www.kajmagnus.blog/new-embedded-comments/)

(The underlying discussion platform:
[https://www.effectivediscussions.org/](https://www.effectivediscussions.org/)
)

It has some cool features that people at HN might like:
[https://www.effectivediscussions.org/-32/how-hacker-news-
can...](https://www.effectivediscussions.org/-32/how-hacker-news-can-be-
improved-3-things) (but I haven't ported all that to embedded-comments yet)

~~~
StavrosK
I really love how the embedded comments look, but I'm a bit concerned by your
other sites. I want my content to be at the forefront, not the commenting
system. Is that going to be an issue if I use your system, or are the extra
features configurable?

Also, is there any possibility I could use my own users with your site? I
don't want to have to make people sign up with another provider just to post
comments.

EDIT: Your onboarding is _really_ poor. I tried to create an account and it
gave me some odd comments about an email "I specified in the config", and I
have no idea what to do now. It seems I have half-created an account where my
email is already used but I don't have a password to log in with. Neither can
I reset my password or find documentation on how to embed comments.

EDIT 2: It looks like all the permalinks in your embedded comments point to
the forum site? That's not something I want for my content, hmm.

~~~
KajMagnus
Thanks, that was helpful feedback/info :- )

1) I'd like the blog post & content to be at the forefront too. What extra
features do you have in mind that you would want to disable/configure? Were
you referring to the sidebar with the most-recent-comments list maybe?

2) Use your own users: In the future, I would want to support that. Hmm. How
would it work. Maybe your website could send a message to the iframe that "the
current user is logged in, with username @Someone, real name Some-One, and
(optionally) email@exmalple.com?" — Or it could set some name-and-email
cookie.

3) Onboarding: Ok really good to know that it's really poor. The email in the
config — I should probably rephrase that, then, or maybe auto-pre-fill the
email. It's the email one typed on the very first page, when one also picked a
website name...

...What has happened is that you've specified which email the admin _is going
to have_ ... and later on you need to create the admin account. Maybe I could
merge these steps into one. (They make more sense as 2 steps, when installing
on a stand-alone server oneself — then, one first specifies the admin's email
in a text config file.)

4) Permalinks are supposed to link back to the blog. However, for the blog to
be able to scroll down & focus on the linked comment, I need to implement some
message passing between the Javascript code running directly in the blog, and
the iframe with embedded comments (so the main frame gets to know how far down
to scroll). I haven't done that yet, and was thinking that for now maybe it
makes more sense to link to the comments over at *.ed.community (where
scrolling works, no iframe).

If you got the impression that all this isn't super ready yet, then yes that's
correct, it isn't. Hopefully a beta version at the end of october. One can use
everything already but ... might be a bit frustrating sometimes right now. I'm
about to deploy a new server, this weekend I would think, with instructions
about how one configures embedded comments.

~~~
StavrosK
Thanks for your reply! Please feel free to email me if you want to talk about
this more (email is in profile). To reply to your points:

1) I mainly noticed the permalink leading to the "forum" domain instead of the
page the user is currently on (like Disqus does).

2) The easiest way would be for me to receive an API key from you beforehand,
and send you the user's email if you need that (e.g. to email them), or just a
random-looking user ID, along with HMAC((email/id, timestamp), API key). This
way you can replay the HMAC and prove that I know the API key I'm
authenticating this user with. The timestamp is there to prevent replay
attacks later on (e.g. to expire the signature after X minutes).

3) Ah, I got confused because I closed the page at some point and came back,
and was getting some errors I don't remember now but that were confusing me at
the time. When I realized I can just continue the flow, it worked, but yes, I
would have liked it to be a bit more straightforward. I tried to log in with
Twitter but you wanted write permissions, so I didn't.

4) Hmm, the way Disqus does it is by linking to
[https://<theblog>.com/<post>#commentid](https://<theblog>.com/<post>#commentid)
and then using JS to scroll to the element pointed to by the hash. I don't
think message passing is required?

In any case, your system was the most visually pleasing and easy to compose
with of the five I've tried, so I'd be quite eager to implement it in a side-
project I'm working now. It's at a very early stage, but I'd be glad to give
you feedback and pay for the product down the line (although I don't
anticipate the project ever making any money or having many users, so I
probably won't be able to pay much).

~~~
KajMagnus
Ok, email sent :-) (& permalinks fixed, now they point to the blog ... but I
haven't yet deployed the changes.)

------
feelin_googley
"Less than a day earlier, they had absolutely no idea what was coming yet they
managed to pull all this together in record time."

How is he sure that they had no knowledge?

What if they knew but were just waiting for someone with a blog or a Twitter
account to make the "discovery"?

In any event, none of this would have happened if email addresses had not been
collected.

There is no need to collect email addresses in order to allow internet users
to post comments. _Requiring_ email addresses serves no benefit to the user.
It is just more gratuitous data collection. Data which eventually becomes the
subject of yet another "data breach blog" entry.

~~~
philh
> It serves no benefit to the user.

Persistent identity -> password-protected account -> email for recovery.

I certainly wish more places would make email addresses optional, but there is
value in collecting them.

~~~
EpicEng
Why do I care about any of that? I just want to leave a comment on some random
blog and maybe read a couple of replies. I have backed out of commenting
numerous times because of this nonsense.

~~~
philh
If you personally don't care, then it provides no value to you. That's fine.
In that case you can hope that the blog allows anonymous commenting, which the
blog author may or may not want to provide for various reasons.

And I would hope disqus offers them that choice. But even if it doesn't, there
are many users who are not you and whose commenting patterns are not yours,
and email collection still adds value for them.

~~~
EpicEng
I imagine very few users care about having a Disqus account. It's not a
feature intended to make the user's experience a better one.

~~~
philh
You're making two separate claims, and both of them are very different to the
one I originally answered. I'm not really interested in going further with
this.

~~~
EpicEng
I'm not. I said "I" as in "a user".

------
jlgaddis
In a previous discussion here on HN, there were several folks who claimed that
they were (or should have been) affected that did not receive an notification
from Disqus but did receive a notification from HIBP.

~~~
masklinn
According to their statement[0], they have 17.5 million emails to get out.
Unless they routinely send several times that volume daily, they'll have to
batch the notifications over the next few days or the entire thing will get
blackholed.

[0] [https://blog.disqus.com/security-alert-user-info-
breach](https://blog.disqus.com/security-alert-user-info-breach)

> We are currently in process of emailing all of the impacted users directly.
> Getting all 17.5 million emails out will take us a few days, but we wanted
> to get this disclosure post out as soon as possible. Additionally we've
> posted links to this disclosure in our publisher admin panel, user
> homepages, and on disqus.com.

~~~
shalmanese
Their entire business is sending out emails to notify you when someone has
replied to your comment.

------
ComodoHacker
Would their reaction be so swift and competent if it wasn't Troy but someone
with no name?

~~~
spydum
That level and timeline of response tells you a great number of things,
regardless of the source:

1) they had a plan for breaches (it would be hard to cover all the ground
without one) 2) they had technical controls/capability to respond (mass
password reset) 3) they had clear and direct accountability all the way up to
ceo

Other than not having detected the breach, and using not-the-best (but not
entirely the worst either) password storage, I don't know what else you could
ask for.

~~~
megous
> The breach dated back to July 2012 but wasn't identified until years later
> when the data finally surfaced.

Not everything is rosy. They didn't notice unauthorized access for 5 years.

------
aidos
Is this correct though? I had the email from Troy saying my email was in the
breach but I haven't heard anything at all from Disqus...

~~~
r3bl
Yes it is. Here's the official Disqus statement:
[https://blog.disqus.com/security-alert-user-info-
breach](https://blog.disqus.com/security-alert-user-info-breach)

According to it:

> As a precautionary measure, we are forcing the reset of passwords for all
> affected users. We are contacting all of the users whose information was
> included to inform them of the situation.

They even give a shoutout to Troy right at the end of that article.

~~~
aidos
Thanks for the link. This reply to a comment on that page gives the
information I'm missing:

> "We are currently in process of emailing all of the impacted users directly.
> Getting all 17.5 million emails out will take us a few days, but we wanted
> to get this disclosure post out as soon as possible. Additionally we've
> posted links to this disclosure in our publisher admin panel, user
> homepages, and on disqus.com."

~~~
r3bl
Hey, it's kind of appropriate that you find what you're looking for in the
comments section on an article from the commenting platform itself. :)

------
DougWebb
I got an email, despite never having set up an account. I was able to reset my
password and delete the account though. Before I did that I looked through the
profile and settings, and it was completely blank aside from my email address.

I'm assuming one of the many people who use my gmail address by mistake tried
to sign up with it.

~~~
PakG1
This is the primary reason why I switched to using Fastmail with a custom
domain. Sick and tired of other people using my email address for stuff, or
worse, their friends regularly emailing me to organize get-togethers.

~~~
stevekemp
That won't help, I've had a "custom" domain since 1999. I still have people
sign up to random services using my email-address.

~~~
dasil003
Try having a common name at gmail and you'll realize that in fact you are
wrong, whatever problem you have at your own domain is peanuts in comparison
to that nightmare.

------
RachelF
Perhaps it is co-incidental, but disclosing the results at 4pm EST on a Friday
afternoon helps "bury the bad news".

This ensures it falls outside the news cycle for most journalists and gets the
minimum of coverage.

------
megous
I have my mail in the breach, yet I don't have an account.

Perhaps I've deleted my account after 2012, but don't remember it.

Will be interesting to see if I receive email from them, despite not being a
user anymore.

