Adam D'Angelo, CEO of information sharing/Q&A website Quora issued a statement on Monday saying that the company had discovered on Friday that there had been unauthorised access to the details of some 100 million Quora users.
This information comprised name, email address, encrypted (hashed) password, data imported from linked networks when authorised by users; public content and actions, e.g. questions, answers, comments, upvotes. It also included non-public content and actions, eg answer requests, downvotes, direct messages.
The company says that it is in the process of notifying users whose data has been compromised and is logging out all Quora users who may have been affected, requiring them to reset their passwords. The statement says, "We believe we’ve identified the root cause and taken steps to address the issue. We're still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.
Matt Aldridge, senior solutions architect at Webroot noted: "What’s interesting about this data breach is that user imported data from linked social media sites was potentially also accessed. Cyber-attackers will use information gained from social media sites to target employees through highly personalised attacks, such as spear phishing. Through these types of attacks, malicious actors will trick employees into handing over their usernames and passwords, allowing them access to the company’s network.
"Any company who holds potentially sensitive information on users must have clearly defined security policies and procedures regarding password management and consider investing in technical security layers – from threat intelligence solutions to two factor authentication – to further bolster defences. Employee education will underscore an effective cybersecurity strategy and comprehensive best practice guides for passwords and system policies are critical to maintaining defences.
In an email to SC Media UK Dashlane CEO, Emmanuel Schalit, advises consumers to immediately change their passwords not only on Quora, but also on any social media accounts that they have linked to the site saying: "Because the extent of the hack is still unknown, if you’ve ever signed up for a Quora account, we recommend changing your password now. Similarly, as some of the compromised information includes data from linked social network accounts such as Facebook and Twitter, we would recommend changing your passwords on those services too.
"Each of your online accounts should have a unique, complex password—this is especially true of accounts that contain sensitive personal information like social media accounts. You may not be able to control the security architecture of the digital services you use every day and that hold so much of your data, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the "containment" doctrine. One example is using a password manager with a Password Changer capability, this can be easily done, and used to instantly generate and change your passwords with a single click – ensuring proper and regular cyber hygiene."
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies agrees on the need for password managers saying: "This breach goes to show that whether you are an airline or simply a Q&A forum, if you have valuable data, you are a target for hackers. The data sets that have been exposed here are huge - not just leaking the usual user credentials but also their social network accounts and potentially their private personal information that was posted on Quora.
"In my view, all organisations should prepare for the worst. It is not a matter of if a breach will happen, but when. Why is this the case? Because the state of an organisation's security is always changing, it can't be fixed in time. Many things affect the state of security on a day to day basis - for example additions to code on the website, new administrators that may join, even the physical security of the office such as visiting contractors, or whether a security guard is taken sick that day.
"Users affected by the breach have been advised that their passwords have been reset. Quora has also advised that users do not reuse passwords on multiple sites. This is an important practice for us all. The easiest way to do this is using a password manager such as 1Password or LastPass. This will allow you to generate random passwords whenever you create an account on a website or when you reset a password."
Stephen Cox, VP & chief security architect at SecureAuth comments in an email to SC Media UK: More focus needs to be put on advanced authentication techniques to improve organisations’ security posture in this threat landscape. Far too many organisations are relying on approaches that have simply been proven ineffective against modern attackers, and they must be careful to not develop a false sense of security even when they’ve adopted basic techniques such as two-factor authentication. These types of breaches will continue to proliferate unless organisations up their game for their employees and their customers, implementing multi-factor and adaptive authentication to render stolen credentials useless to an attacker."
Sam Curry, chief security officer at Cybereason, noted in an email to SC: "Today, the potential attack surface that corporations have to protect is a lot bigger and wider than it was just a few years ago, and this plays right into the hands of hackers. It is through persistence and patience that most adversaries are successful - try and try again until you are successful. This leaves corporations with the responsibility to implement a new offensive mindset and to very specifically take the fight to the adversaries. putting them on the defensive. Something has to change, because a hacker only needs to be right once to successfully compromise a corporation, while the defenders have to be right 100 percent of the time to avoid making headlines for the wrong reasons."
Slightly more reassuringly , Simon McCalla, CTO, Nominet gives credit to Quora for having reacted quickly to report and stem the damage from the leak and notes: "While Quora has recommended that users do change their passwords, the fact they were encrypted means the fallout from this breach could be less impactful than others.
But he goes on to add: "That said, Quora has shown good practice by reporting the breach and contacting users in timely fashion in the aftermath of the breach. This would suggest their internal security measures are well monitored and well operated. The fact they keep passwords encrypted also helps protect users should the worst happen. Of course, users of Quora should change their password for complete peace of mind but in this case, Quora’s proactive attitude to dealing with the breach will minimise the damage.’
Nonetheless, High-Tech Bridge's CEO Ilia Kolochenko warns, "In light of a class-action lawsuit seeking US$ 12.5 billion ($9.8 billion) in damages filed the next day after the recent Marriott data breach, Quora may also expect significant legal ramifications. The financial penalties they will be required to pay to authorities and damages in individual lawsuits / settlements will likely be economically bearable, nonetheless, the total amount can be huge."