Disqus Account Hijacked – What to Do

Let us tell you a little story…

A huge Joomla website that we fully manage uses Disqus for commenting. The website receives an insane amount of traffic and it is in the Alexa top 10K websites in the US. About 4 months ago, we noticed that the Disqus commenting section had irrelevant ads, but we thought that the client authorized these ads, and so we dismissed this as a non-issue.

Two months ago, the client contacted us and complained about these ads, and so we told them that we were under the impression that these ads were authorized from their end, the client responded that this wasn’t the case, and so we delved deeper into the mysterious world of Disqus.

After investigating the issue, we discovered that Disqus had a platform for displaying ads called “Reveal” which was made very aggressive beginning of the year (beginning of 2016). “Reveal” pays money to publishers, and it was paying the Disqus account owner (who was a developer who worked on the website back in 2011, before we started managing it) about $3,000/month by ACH (ACH stands for Automated Clearing House, another term for direct deposit). Naturally, we disabled “Reveal” in Disqus in order to stop this madness.

We then urged our client to do one of the following:

  • Switch to another Disqus account that they own in order to prevent this in the future, and then ask Disqus to copy the data from one account to another. This option was ideal, but we had serious doubts on whether Disqus will accommodate this request; why should they? It is a free service after all and no one should expect support for anything that was given away for free.
  • Talk to the previous developer and ask him to surrender his admin rights on the account. We also had doubts about this – a developer who sneaks in his information to make a quick buck out of a very reputable client is not a developer that will give away such things easily (or cheaply).

  • Use a Joomla extension such as JComments for commenting platform and then copy the data from Disqus to JComments. This suggestion was the weakest, in our opinion, but it was the only one that was guaranteed to work. Disqus has a solid API, and that API can be used to build the migration tool.

After discussing the issue internally for a few days, the client told us that they will go with the second option, and so we closed the issue on our end. However, we did have this little gut feeling that we will hear from the client about this particular issue in the near future.

And so we did: a couple of weeks ago, the client called us and told us that they were seeing those ugly ads again, and that they needed them removed. So, we tried to login to Disqus, and this time, it didn’t work for us. We asked the client whether they changed their username and/or password on Disqus, but they said they didn’t. We understood what happened immediately: the previous developer discovered that he didn’t receive that $3K in the previous month, so he re-enabled “Reveal” (the Disqus advertising platform, in case you just skipped to this paragraph), and he changed the client’s Disqus password. That was nasty but it was expected.

So, we presented the client with the above 3 options again, and they told us that they tried contacting the previous developer, but he didn’t reply. So, we asked the client to see if they can contact Disqus about this (we also told them to expect very little), and we told them that meanwhile, we will migrate their Disqus comments to JComments.

Immediately after we finished the Disqus migration script to JComments, the client contacted us and told us that, to their (and our) surprise, Disqus replied to them about this and they were willing to help. Here is the email that Disqus sent to our client:

Hi,

Thanks for reaching out to us.

If you have lost your moderator login information, or no longer have access to your forum’s moderation panel due to changes in ownership, you will need to provide the following information so that we can update the Primary Moderator:

-Evidence that you own the site or are in control of the site (this could be a page created on the site with a Disqus-related message, or a screenshot of the site admin or domain registration).

– Shortname of the forum being modified.

– Registered Disqus username of the desired new primary moderator (if you do not have an account you may register one at http://disqus.com/profile/signup ).

– Registered email address of new primary moderator.

If your situation demands more than being set as the Primary Moderator for the forum and having access to the Moderation Panel, please provide us with a detailed description of the issue you are facing.

Woohoo! Disqus did beat our expectations (and those of our client), and they only requested from us to create a specific page for them in order to prove ownership of the website. So, we quickly created a page called “Hi Disqus!” which contained the following text:

“This is a message for Disqus. Thank you for giving us back control over our Disqus account.”

We also created a Disqus account for our client (using an email address belonging to our client’s domain), and we forwarded the account information to our client, telling them to ask Disqus to make the account the master account.

In less than 24 hours, Disqus did just that! They were unbelievably helpful and they were not as we thought they were. We were surprised that they even responded, let alone granting our client full control over his Disqus comments.

We were thrilled that this whole thing ended in the best way possible, and so was our client.

Now if you, our dear reader, lost control over your Disqus account (or didn’t have full control in the first place), then we suggest that you contact Disqus (they will reply to you). If you need help with the process, then please contact us. We have done this before, our fees are super affordable, and we will do our best to turn that nightmare of yours into a positive experience.

No comments yet.

Leave a comment