Disqus 2012 Data Breach
ObscureIQ Breach Intelligence
Low SeverityWebsite / service breach
Disqus Website Comment Platform Breach (2012, Disclosed 2017): 27 Million User Accounts Including Hashed Passwords Exposed
Comment hosting platform for websites.
Verified by ObscureIQ Intelligence
23/100Breach Risk Index
5Data Value
25Market Recency
512dSince Breach
Breach Intelligence Summary
Entity: Disqus · Actor: Unknown · Sources: 8 references
Attack: Unknown
Profile: Platform · Website commenting and engagement tools · SaaS discussion platform · Global
Timeline: Breach (2012-07-01) · Indexed (Dec 01, 2024) · Year (2012)
Exposure: 27.8M records · 3 fields: Email Address, Password, Username
Status: Confirmed
Executive Summary
Disqus, a comment hosting platform embedded across major news sites, blogs, and digital media properties worldwide, suffered a data breach in July 2012 that went undetected for over five years. The intrusion was not discovered until October 2017, when the stolen data surfaced. The breach affected approximately 27.8 million user accounts. The attack vector was not publicly identified. The exposed data included email addresses, usernames, and passwords stored as salted SHA-1 hashes. SHA-1 is an older hashing algorithm that, while better than storing passwords in plain text, is now considered weak and crackable with modern tools. Users who had logged in through social accounts such as Google or Facebook had no stored password exposed, but their account references were included. Because Disqus operates across thousands of third-party sites, the breach also exposes a risk specific to the platform: commenting history tied to a single Disqus identity can be used to correlate pseudonymous usernames with personal views, political opinions, or other identifying information across sites. No regulatory action or legal settlement specific to this breach has been publicly documented. Once the breach was discovered in 2017, Disqus disclosed the incident promptly and notified affected users, prompting password resets. People affected by this breach should treat any reused passwords as compromised, particularly if those credentials were used on other sites. The five-year gap between the intrusion and its discovery means exposed data had ample time to circulate before users had any opportunity to act.
ObscureIQ assessment: Main risks include password reuse, account takeover, and deanonymization of commenters. Cross-site commenting history can also help correlate pseudonymous identities and political or personal views.
Breach Impact
In July 2012 Disqus was breached, though the incident was not discovered until October 2017 — a five-year gap between intrusion and discovery that is among the longer undetected dwell times in consumer platform breach history. Once discovered, Disqus disclosed the incident promptly. The exposed dataset of approximately 17.5 million records included email addresses, usernames, and passwords stored as salted SHA-1 hashes, along with some accounts with no stored password that had used social login. Disqus notified affected users and prompted password resets. No settlement or regulatory action specific to this breach has been prominently documented.
About Disqus
Disqus is a comment hosting and community platform embedded on third-party websites to power reader discussion sections. Publishers integrate Disqus to replace native comment systems with a centralized, cross-site identity and moderation layer. The platform has been used by major news sites, blogs, and digital media properties globally. Disqus was acquired by Zeta Global in 2017.
Why They Hold Your Data
Commenting and engagement platforms collect user accounts, emails, usernames, passwords, IP addresses, and public discussion history across large networks of websites.
Recent Developments
Disqus continues to operate under Zeta Global's ownership as part of its marketing technology portfolio. The comment platform market has contracted as major publishers have disabled reader comments or moved to social media-based discussion. Disqus has maintained its presence among publishers that still host reader comments but its cultural prominence has diminished.
Data Points Exposed
3 verified field types
Email Address
Password Critical
Username
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:High
Primary downstream threats:
- Credential stuffing against reused passwords across other platforms
- Targeted phishing campaigns using exposed email addresses
Threat vectors:
- Phishing, credential stuffing & account takeover
- Credential stuffing & account takeover
- Cross-platform tracking & credential stuffing
Recommended Actions
If you believe your information may be included:
Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Disqus breach?▾
Disqus, a comment hosting platform embedded across major news sites, blogs, and digital media properties worldwide, suffered a data breach in July 2012 that went undetected for over five years. The intrusion was not discovered until October 2017, when the stolen data surfaced. The breach affected…
What data was exposed?▾
Verified fields include Email Address, Password, Username.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
Breach Index
Cross-source
9ghz
Cross-source
BreachForums_Official_Index
Cross-source
DataViper.io
Cross-source
Dehashed
Cross-source
leakfind
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation