Swedes uncover Disqus user security breach
David Landes reports:
A group of Swedish journalists are sitting on a goldmine of 29 million online comments, with information about users’ identities, from news sites around the world thanks to a security flaw in debate moderation service Disqus.
After outing several ‘online haters’ at home, which caused several resignations from the populist, far-right Sweden Democrat party, the Swedish investigative journalists behind the revelations said they had accessed the identities of several million commenters using the popular Disqus system.[…]
While the thrust of the research focused on far-right sites in Sweden, data was also collected from news sites elsewhere in the world, including CNN, The Telegraph, ABC News, and The Jerusalem Post, as well as from mainstream Swedish news site such as Svenska Dagbladet, SVT Debatt as well as The Local.
Members of the Research Group quickly realized, however, that the data they received also came with metadata that included the email addresses tied to anonymous Disqus accounts.
Read more on The Local (SE). The reporter includes a response from Disqus which states, in part:
“Disqus has not been cracked. No emails were leaked by Disqus,” vice president for marketing Stephen Roy said in a statement released on Tuesday.
He explained that Disqus offers API services that include “MD5 hashes” of email addresses that allow users to access third-party services such as Gravatar, which in turn permits users to display a consistent avatar across platforms.
“This appears to be a targeted attack on a group of individuals using pattern matching of their activity across the web, associated with email addresses used by those individuals,” said Roy, calling the actions a breach of Disqus privacy regulations. “As in all such cases, we are terminating the account.”
Roy added that Disqus was disabling use of the Gravatar service and removing the MD5 hash email from its API.