Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for October 2017 is … the user data breach at Disqus, which went unnoticed for five years.
Disqus, a widely used commenting tool and WordPress plug-in, just found out that its systems were breached… in 2012. Disqus was unaware of the breach until last month, when Troy Hunt of Have I Been Pwned?— a website where users can submit their email address to quickly see what accounts of theirs have been compromised in data breaches—alerted them that he had come across their exposed user information.
Email addresses and usernames of 17.5 million users were exposed in the breach. A third of those users also had hashed passwords exposed, but fortunately, none of the passwords were in plain text.
How exactly Disqus was breached is not yet known, or at least has not been publicly reported. A snapshot of Disqus’ user database was exposed, suggesting someone gained unauthorized access to their systems and successfully extracted the data without being detected.
Many security breaches go unnoticed not because they weren’t flagged by security systems, but because security systems flag so much that analysts are unable to identify true positives and take the time to investigate. One of the ways to cut through the volume of alerts is to have an incident response platform that closely integrates with your SIEM for escalation of likely true positives. Alerts can then be accurately assessed with features like automated risk scoring, which checks external reputation sources and past incident data to generate the likelihood that an alert is a genuine threat. Overcoming alert fatigue is an important step to ensuring that significant incidents don’t get missed.
There is a second takeaway from the Disqus breach that won’t help you reduce the risk of an incident, but it will certainly help you reduce the impact of an incident: well-executed breach disclosure. Troy Hunt, who you’ll remember was the one who notified Disqus of the breach, wrote a blog post highlighting Disqus’ response as an example of data breach disclosure done right. Within 24 hours of being notified, Disqus had released a detailed public notification, taken steps to protect impacted accounts, and made their CEO available to the press for questions.
Good breach disclosure requires that you are able to quickly assemble and make sense of your incident data. Security tools that offer strong metrics, analytics, and reporting are necessary to support this task. Another useful tool to have is software that supports cross-departmental collaboration. Breach disclosures will need signoff from Legal at minimum, and probably PR and senior management too. Some tools silo data within the security team, making it difficult to share the information and get the necessary approvals within a short timeframe.
The Disqus breach is not the only long-undiscovered breach that has been brought to light recently. In fact, it is not at all uncommon for attackers to have access to sensitive systems for weeks or even months before being discovered. We hope that you will consider our tips to help streamline your detection processes in order to catch these incidents before they can do damage, and to be prepared for prompt public disclosure should a breach occur.
We’ll see you back here next month for a new Breach of the Month.