The personal data of some 100 million people who have used Quora, a popular question and answer website, has been compromised, the company disclosed Monday.
“We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party,” wrote Quora CEO Adam D’Angelo in an online post.
“We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future,” he added.
The intrusion — which was discovered Friday, D’Angelo noted — placed the following information of Quora users at risk:
- Account information, such as name, email address, hashed password and data imported from linked networks when authorized by users;
- Public content and actions, such as questions, answers, comments and “upvotes”;
- Non-public content and actions, such as answer requests, downvotes and direct messages.
“It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or social security numbers,” states a response on the company’s FAQ page.
Compared to other large data breaches — such as the breach at the Marriott hotel chain last week, which affected some 500 million customers and enabled intruders to steal credit card numbers, dates of birth and passport numbers — the Quora attack is relatively mild, said Ted Rossman, an industry analyst with Creditcards.com in Austin, Texas.
“The Quora breach seems more contained,” he told TechNewsWorld. “It was information that was already public or things that are not that sensitive, like email addresses.”
The risk for most Quora users isn’t that severe, remarked Paul Bischoff, privacy advocate at Comparitech, a reviews, advice and information website focused on consumer security products.
“The stolen passwords are hashed and no payment information was breached, so there’s little immediate threat to most people,” he told TechNewsWorld.
“However, the small portion of users who utilized Quora’s direct messaging platform might have exposed private information sent to other users,” Bischoff added.
All personal information — not just passwords and credit card numbers — can be valuable to data abusers, though.
“As we saw with the Cambridge Analytica fiasco, access to personal likes, tastes, and other preferences can be used against individuals,” Javvad Malik, a security advocate at AlienVault, a threat intelligence company in San Mateo, California, told TechNewsWorld.
Chilling Effect on Sharing
Theft of data at the site also could have other consequences for Quora.
“Since this is a knowledge-sharing platform, one of the risks of an incident like this is it could deter people from engaging in that kind of activity, which is productive and useful,” said Thomas Jackson, chair of the technology practice group at Phillips Nizer, a law firm in New York City.
“Breaches like the one at Marriott put clients at risk because so much customer data is exposed,” he told TechNewsWorld. “In the Quora case, the main issue is going to be the willingness of inviduals to contribute going forward. Will it have a negative effect on postings and new signups?”
Once a breach occurs, the damage is done and there’s no taking it back, added Bischoff.
“That being said, other than being breached, Quora did pretty much everything right,” he continued. “Passwords were stored as hashes and not in plain text. Quora promptly notified users of the breach and took action to remedy the issue.”
Leveraging Social Media Logins
Although knowledge seekers with Quora-only accounts may be at minimal risk from the data breach, that might not be the case for those who use other services, such as Facebook and Google, to log into the website.
“For people who log into Quora using Facebook or Google authentication, there may be more identity information leaked, depending how much is contained in their Facebook or Google profiles,” said Mounir Hahad, head of the threat lab for Juniper Networks, a network security and performance company based in Sunnyvale, California.
“People need to make sure their Google and Facebook profiles contain a minimal amount of personal information,” he told TechNewsWorld. “For example, neither service needs to know your exact date of birth to provide you with services.”
The most useful information stolen by the cybercriminals likely will be a massive list of valid email addresses, Hahad said.
“Hackers will often turn around and sell this data on the underground market,” he explained. “Typical buyers are those that run spam platforms that cater to people trying to push products or build botnets.”
What’s a Consumer to Do?
Consumers concerned about the risks posed to them by the Quora breach can take a number of steps to protect themselves.
“They should decouple their Quora accounts from other platforms,” recommended Mike Bittner, digital security and operations manager at The Media Trust, a website and mobile application security company in McLean, Virginia.
“They should also change all their passwords, applying unique credentials to each one,” he told TechNewsWorld, “and check their credit cards for any unauthorized charges.”
Maintaining unique passwords across all accounts is particularly important, noted James Carder, CISO for LogRhythm, a cybersecurity solutions company in Boulder, Colorado.
“It’s common for attackers to sweep other consumer platforms to test credentials they just stole,” he told TechNewsWorld.
Quora users also should be on the lookout for increased phishing and other attacks,he advised, as the black hats might have enough information to craft specially targeted ploys.
More of the Same in the Future
Until the Quora and Marriott attacks, 2018 was shaping up to be a down year for breaches, with 670 million records lost, compared to 1.58 billion in 2017, noted Terry Ray, CTO of Imperva, a web application firewall maker in Redwood City, California.
“Now, with two back-to-back major breaches compromising roughly 600 million total accounts, 2018 is in striking distance of matching or exceeding last year,” he told TechNewsWorld.
The future doesn’t look bright, unless you’re a data thief.
“All companies, regardless of size, should expect to be targeted by attackers and prepare themselves by knowing all the third parties they work with,” The Media Trust’s Bittner warned.
“Attacks are not a matter of if, but when,” he added.
“Until companies can adequately protect their customers, this trend will not slow down, and the prognosis will not trend positively,” Carder predicted.
“I thought the Equifax breach last year — where they let 150 million accounts slip out the cracks — would be a tipping point,” said Creditcards.com’s Rossman, “but a year, later very little has changed. It’s up to us to protect ourselves.”