On October 5, 2017, Disqus disclosed that it had been notified by security researcher Troy Hunt that a dataset containing user data from a 2012 breach had been provided to him by an anonymous source. Disqus investigated and confirmed the breach had occurred in July 2012. The compromised data included email addresses, Disqus usernames, sign-up dates, last login dates in plain text, and — for approximately one-third of the 17.5 million accounts — SHA-1 hashed passwords with no salting. The remaining two-thirds of accounts had signed in via social login and had no passwords stored. Disqus had migrated to bcrypt for password hashing by the time of the 2012 breach, but the older accounts still had SHA-1 hashed passwords from before the migration. Disqus reset passwords for all affected accounts and notified users by email. The breach was notable for the five-year gap between the breach occurring and its discovery, demonstrating how historical breaches can surface years later. Disqus’s relatively fast response once notified (same-day disclosure) was praised by the security community. The breach was part of a broader pattern of 2012-era breaches discovered years later, including LinkedIn (117M), Formspring (28M), and others.