> They provided details - the passwords were salted SHA1 hashes which is not a pretty story to tell in this day and age, but they told it truthfully regardless<p>The leak is from 2012, which might explain SHA1 usage. It should still have been something beter, even for that time, but still.<p>Anyway, I think it's pretty hilarious that we're now patting companies on the back after leaking 17.5 million user details. Not that Disqus' disclosure wasn't text book. Just that it's now so normal for companies to leak things all over the place that we actually have Best Practices for what to do when (not if ;-) that happens.<p>Personally, I don't register with my real name and email anymore, anywhere. It's a bit of a pain in the ass sometimes, but worth it.
While we're on the subject, is there an alternative to Disqus that doesn't load three terabytes of stuff and have all the social-engagey functionality? I just want something that does comments.
"Less than a day earlier, they had absolutely no idea what was coming yet they managed to pull all this together in record time."<p>How is he sure that they had no knowledge?<p>What if they knew but were just waiting for someone with a blog or a Twitter account to make the "discovery"?<p>In any event, none of this would have happened if email addresses had not been collected.<p>There is no need to collect email addresses in order to allow internet users to post comments. <i>Requiring</i> email addresses serves no benefit to the user. It is just more gratuitous data collection. Data which eventually becomes the subject of yet another "data breach blog" entry.
In a previous discussion here on HN, there were several folks who claimed that they were (or should have been) affected that did not receive an notification from Disqus but did receive a notification from HIBP.
I got an email, despite never having set up an account. I was able to reset my password and delete the account though. Before I did that I looked through the profile and settings, and it was completely blank aside from my email address.<p>I'm assuming one of the many people who use my gmail address by mistake tried to sign up with it.
Perhaps it is co-incidental, but disclosing the results at 4pm EST on a Friday afternoon helps "bury the bad news".<p>This ensures it falls outside the news cycle for most journalists and gets the minimum of coverage.
I have my mail in the breach, yet I don't have an account.<p>Perhaps I've deleted my account after 2012, but don't remember it.<p>Will be interesting to see if I receive email from them, despite not being a user anymore.