The leak is from 2012, which might explain SHA1 usage. It should still have been something beter, even for that time, but still.
Anyway, I think it's pretty hilarious that we're now patting companies on the back after leaking 17.5 million user details. Not that Disqus' disclosure wasn't text book. Just that it's now so normal for companies to leak things all over the place that we actually have Best Practices for what to do when (not if ;-) that happens.
Personally, I don't register with my real name and email anymore, anywhere. It's a bit of a pain in the ass sometimes, but worth it.
Plus, this is ignoring the easiest option... just spear phish the employees, won’t be long before you get a catch or two.
Breaches are inevitable, it’s all about spotting them early and minimising their impact. Oh and strong hashes help :)
But the catch is that I don't have a free plan (yet) since I can't make any money off of users on the free plan. If you're interested though you are welcome to sign up and use the comments system for free. I can offer a few fellow HNers free access as a thank you to this community. If you decide to use the comments system, just send me an email to let me know so that I can mark the account as being on the free plan.
(The underlying discussion platform: https://www.effectivediscussions.org/ )
It has some cool features that people at HN might like: https://www.effectivediscussions.org/-32/how-hacker-news-can... (but I haven't ported all that to embedded-comments yet)
Also, is there any possibility I could use my own users with your site? I don't want to have to make people sign up with another provider just to post comments.
EDIT: Your onboarding is really poor. I tried to create an account and it gave me some odd comments about an email "I specified in the config", and I have no idea what to do now. It seems I have half-created an account where my email is already used but I don't have a password to log in with. Neither can I reset my password or find documentation on how to embed comments.
EDIT 2: It looks like all the permalinks in your embedded comments point to the forum site? That's not something I want for my content, hmm.
1) I'd like the blog post & content to be at the forefront too. What extra features do you have in mind that you would want to disable/configure? Were you referring to the sidebar with the most-recent-comments list maybe?
2) Use your own users: In the future, I would want to support that. Hmm. How would it work. Maybe your website could send a message to the iframe that "the current user is logged in, with username @Someone, real name Some-One, and (optionally) firstname.lastname@example.org?" — Or it could set some name-and-email cookie.
3) Onboarding: Ok really good to know that it's really poor. The email in the config — I should probably rephrase that, then, or maybe auto-pre-fill the email. It's the email one typed on the very first page, when one also picked a website name...
...What has happened is that you've specified which email the admin is going to have ... and later on you need to create the admin account. Maybe I could merge these steps into one. (They make more sense as 2 steps, when installing on a stand-alone server oneself — then, one first specifies the admin's email in a text config file.)
If you got the impression that all this isn't super ready yet, then yes that's correct, it isn't. Hopefully a beta version at the end of october. One can use everything already but ... might be a bit frustrating sometimes right now. I'm about to deploy a new server, this weekend I would think, with instructions about how one configures embedded comments.
1) I mainly noticed the permalink leading to the "forum" domain instead of the page the user is currently on (like Disqus does).
2) The easiest way would be for me to receive an API key from you beforehand, and send you the user's email if you need that (e.g. to email them), or just a random-looking user ID, along with HMAC((email/id, timestamp), API key). This way you can replay the HMAC and prove that I know the API key I'm authenticating this user with. The timestamp is there to prevent replay attacks later on (e.g. to expire the signature after X minutes).
3) Ah, I got confused because I closed the page at some point and came back, and was getting some errors I don't remember now but that were confusing me at the time. When I realized I can just continue the flow, it worked, but yes, I would have liked it to be a bit more straightforward. I tried to log in with Twitter but you wanted write permissions, so I didn't.
4) Hmm, the way Disqus does it is by linking to https://<theblog>.com/<post>#commentid and then using JS to scroll to the element pointed to by the hash. I don't think message passing is required?
In any case, your system was the most visually pleasing and easy to compose with of the five I've tried, so I'd be quite eager to implement it in a side-project I'm working now. It's at a very early stage, but I'd be glad to give you feedback and pay for the product down the line (although I don't anticipate the project ever making any money or having many users, so I probably won't be able to pay much).
>But the catch is that I don't have a free plan (yet) since I can't make any money off of users on the free plan
Free plans are there to provide marketing and free publicity, not direct income ;)
Just my two cents, obviously I haven't done any detailed market research.
Based on the initial feedback, there's serious demand for a free tier and people don't need much convincing to switch so I think it makes sense to have one for non-commercial personal blogs and websites. Once I have at least a few paying customers I plan to rollout the free tier with a focus on tech blogs. The idea is to avoid a situation where I'm supporting free tier users and footing non-trivial server bills without having any revenue.
> If it doesn't eventually turn into revenue, it doesn't make sense to support.
I'll have to consider it a marketing expense.
Thanks for the suggestion! I definitely think there is a need for a fast, private and good commenting system.
EDIT: By the way, my username is "stavros" on your site. Also, your form says "site URL" but then complains about an invalid domain because I included the "https" part, which was a bit confusing.
I separated the url scheme and domain name in the "Add website form". I'm planning to update it to have a single url field and handle the various cases : with and without url scheme, figuring out whether a website supports https etc. I left it out of the initial version but I'll update the form to make it user friendly.
Social-engagey? There's Gmail, Facebook, Twitter login, + email & password alternatively.
(The underlying discussion platform: (it's almost beta status) https://www.effectivediscussions.org/ — there's $2 embedded-comments hosting, + it's open source.)
>foxhop: I was wondering if you would entertain the idea of switching out Disqus comments for Remarkbox, a service that I'm trying to launch [...] https://www.remarkbox.com
How is he sure that they had no knowledge?
What if they knew but were just waiting for someone with a blog or a Twitter account to make the "discovery"?
In any event, none of this would have happened if email addresses had not been collected.
There is no need to collect email addresses in order to allow internet users to post comments. Requiring email addresses serves no benefit to the user. It is just more gratuitous data collection. Data which eventually becomes the subject of yet another "data breach blog" entry.
Persistent identity -> password-protected account -> email for recovery.
I certainly wish more places would make email addresses optional, but there is value in collecting them.
And I would hope disqus offers them that choice. But even if it doesn't, there are many users who are not you and whose commenting patterns are not yours, and email collection still adds value for them.
> We are currently in process of emailing all of the impacted users directly. Getting all 17.5 million emails out will take us a few days, but we wanted to get this disclosure post out as soon as possible. Additionally we've posted links to this disclosure in our publisher admin panel, user homepages, and on disqus.com.
One account is the owner of several sites that use disqus too! And few bigger ones.
1) they had a plan for breaches (it would be hard to cover all the ground without one)
2) they had technical controls/capability to respond (mass password reset)
3) they had clear and direct accountability all the way up to ceo
Other than not having detected the breach, and using not-the-best (but not entirely the worst either) password storage, I don't know what else you could ask for.
Not everything is rosy. They didn't notice unauthorized access for 5 years.
According to it:
> As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.
They even give a shoutout to Troy right at the end of that article.
> "We are currently in process of emailing all of the impacted users directly. Getting all 17.5 million emails out will take us a few days, but we wanted to get this disclosure post out as soon as possible. Additionally we've posted links to this disclosure in our publisher admin panel, user homepages, and on disqus.com."
I'm assuming one of the many people who use my gmail address by mistake tried to sign up with it.
I only give my personal alias out to close friends and family.
This ensures it falls outside the news cycle for most journalists and gets the minimum of coverage.
Perhaps I've deleted my account after 2012, but don't remember it.
Will be interesting to see if I receive email from them, despite not being a user anymore.