Disqus — the widely-used blog comment hosting service embedded across millions of websites — disclosed in October 2017 that a database snapshot from July 2012 containing data for 17.5 million users had been obtained by an unknown attacker. The breach data was shared with security researcher Troy Hunt who added it to Have I Been Pwned and alerted Disqus. Exposed data included email addresses, Disqus usernames, sign-up dates, last login dates, and hashed passwords. Approximately one-third of accounts had SHA1-hashed passwords (the default for accounts created before mid-2012); two-thirds had SHA256-hashed passwords (the post-2012 scheme). The breach data went undiscovered for five years before surfacing — illustrating how breached data can remain in criminal circulation for extended periods before public disclosure. Disqus disclosed the breach the day after being notified by Troy Hunt, reset all passwords of potentially affected users, and noted that Disqus had migrated to bcrypt password hashing since the breach. The 5-year gap between breach and disclosure raised questions about data breach detection capabilities. Disqus is used as a commenting system by major publications including The Washington Post, The Atlantic, and many others — potentially exposing commenting behaviour and email addresses of a diverse population of news readers.