The crack uses a serious security flaw in the Disqus API:s, enabling the extraction of MD5 hashes of user e-mail addresses. By matching the MD5 hashes by brute force vs an e-mail database users are identified.
Example of the attack vector, as revealed by Twitter user chmod007, security engineer David Remahl.
https://disqus.com/api/3.0/users/details.json?user=username:USERNAME&api_secret=secretThe Disqus commenting system has over 50 million users world wide and is used by 750 000 media sites and blogs (Wikipedia). They are no longer necessarily anonymous.
Update: Looking for 150 million e-mail addresses to match vs Disqus accounts? Download the 150 million user e-mails from the intrusion into Adobe's user database.
Update 2: Researchgruppen and possibly Expressen might be in violation of the Disqus terms of service, which they probably have to agree to in order to access the API. See below.
"Service Rules. You agree not to engage in any of the following prohibited activities: (i) copying, distributing, or disclosing any part of the Service in any medium, including without limitation by any automated or non-automated “scraping” except for uses allowed under the “Feed and API” section below; [...](vii) collecting or harvesting any personally identifiable information, including account names, from the Service; (viii) uploading, posting, transmitting, sharing, storing or otherwise making publicly available on the site, or other channels, any private, personally identifiable information of any third party, including, but not limited to: addresses, phone numbers, email addresses, Social Security numbers and credit card numbers; [...] (xii) accessing any content on the Service through any technology or means other than those provided or authorized by the Service or Disqus’ written permission;"