Another day, another data breach, it seems. On Friday, Quora became aware of an incident involving an “unauthorised third party” accessing data from 100 million users of the Q&A platform, and yesterday it began to notify users in an attempt to contain the incident. Quora Tweeted late last night, “We have discovered that some user data was compromised by unauthorized access to our systems. We’ve taken steps to ensure that the situation is contained and are notifying affected users. Protecting your information is our top priority” and directed users to a blog post with further information.
“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility”
– Quora CEO Adam D’Angelo
So what data exactly did this breach compromise? CEO Adam D’Angelo made a statement on the scope of the breach, “Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users. Public content and actions, e.g. questions, answers, comments, upvotes. Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)”.
In response to the incident, Quora has logged out all users of the site, and enforced mandatory password changes for all accounts. Even though it claims the password data that was stolen was encrypted and should therefore be inaccessible to the crooks, it also recommends changing the password for any other websites/services that may have used the same password just in case (sharing passwords between sites is a common way that cyber criminals gain unauthorised access to people’s accounts and a definite no-no in terms of online security). We would go a step further and advise that two-factor authentication be set up on any website that allows this feature, as it is leagues more secure than even the most complex password at the moment.
This incident is just the latest in the ongoing saga of data being compromised by cyber criminals, where it is often sold on the dark web and ends up being used for identity theft, targeted phishing attacks, social engineering and other nefarious activities in an attempt to earn a dishonest day’s wages.
Last week, US hotel chain Marriott saw a breach that involved its entire guest database being exposed. In one of the biggest hacks of an individual organisation that the world has ever seen, a whopping 500 million guest records were stolen – not even directly from Marriott, but from a subsidiary company. At least 300 million of those records are thought to contain the name, email address, phone number, passport number, gender and date-of-birth of affected guests, making it an absolute gold mine for identity theft. Marriott declined to specify the number of users for which credit card numbers and expiration dates were also compromised.
Another day, another data breach. This is life in the online sphere in which we all currently occupy, and many organisations still neglect the security of its customer data, for fear of damaging profit margins. However, when such a breach occurs, irreparable reputational damage is inflicted on that company. Users have already taken to (other) social media sites to declare that they will be logging in to Quora once more – to reset their password and then delete their account.
For those who are rightfully concerned about their online security in the wake of these incidents, we would advise you to ensure that you are using long passwords or pass phrases that are unique to each site/service you use, in addition to two-factor authentication wherever it is available as an option. If a site you use doesn’t have two-factor authentication – get onto them, contact them and express that your data’s security is too important to be neglected. For a more in-depth read on password security and best practices, here’s a piece we wrote up on the latest NIST guidelines to creating more security passwords.