Disqus Data Breach
Disqus Website Comment Platform Breach (2012, Disclosed 2017): 27 Million User Accounts Including Hashed Passwords Exposed
Comment hosting platform for websites.
Risk Interpretation
Main risks include password reuse, account takeover, and deanonymization of commenters. Cross-site commenting history can also help correlate pseudonymous identities and political or personal views.
Impact & Downstream Threats
In July 2012 Disqus was breached, though the incident was not discovered until October 2017 — a five-year gap between intrusion and discovery that is among the longer undetected dwell times in consumer platform breach history. Once discovered, Disqus disclosed the incident promptly. The exposed dataset of approximately 17.5 million records included email addresses, usernames, and passwords stored as salted SHA-1 hashes, along with some accounts with no stored password that had used social login.
- Credential stuffing against reused passwords across other platforms
- Targeted phishing campaigns using exposed email addresses
Threat Vectors
Breach Intelligence
Executive Summary
Disqus, a comment hosting platform embedded across major news sites, blogs, and digital media properties worldwide, suffered a data breach in July 2012 that went undetected for over five years. The intrusion was not discovered until October 2017, when the stolen data surfaced. The breach affected approximately 27.8 million user accounts. The attack vector was not publicly identified. The exposed data included email addresses, usernames, and passwords stored as salted SHA-1 hashes. SHA-1 is an older hashing algorithm that, while better than storing passwords in plain text, is now considered weak and crackable with modern tools. Users who had logged in through social accounts such as Google or Facebook had no stored password exposed, but their account references were included. Because Disqus operates across thousands of third-party sites, the breach also exposes a risk specific to the platform: commenting history tied to a single Disqus identity can be used to correlate pseudonymous usernames with personal views, political opinions, or other identifying information across sites. No regulatory action or legal settlement specific to this breach has been publicly documented. Once the breach was discovered in 2017, Disqus disclosed the incident promptly and notified affected users, prompting password resets. People affected by this breach should treat any reused passwords as compromised, particularly if those credentials were used on other sites. The five-year gap between the intrusion and its discovery means exposed data had ample time to circulate before users had any opportunity to act.
About Disqus
Disqus is a comment hosting and community platform embedded on third-party websites to power reader discussion sections. Publishers integrate Disqus to replace native comment systems with a centralized, cross-site identity and moderation layer. The platform has been used by major news sites, blogs, and digital media properties globally. Disqus was acquired by Zeta Global in 2017.
Why They Hold Your Data
Commenting and engagement platforms collect user accounts, emails, usernames, passwords, IP addresses, and public discussion history across large networks of websites.
Recent Developments
Disqus continues to operate under Zeta Global's ownership as part of its marketing technology portfolio. The comment platform market has contracted as major publishers have disabled reader comments or moved to social media-based discussion. Disqus has maintained its presence among publishers that still host reader comments but its cultural prominence has diminished.
Data Points Exposed
Canonical Fields
email_address, password, username
Dark Web Verification
- Dataset containing ~27.8M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: disqus.com-2012;Disqus Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Disqus
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam