Another day, another data breach impacting hundreds of millions of people.
Sigh. So what’s happened now?
Quora’s CEO, Adam D’Angelo, has announced that on Friday the company discovered that, “some user data was compromised by a third party who gained unauthorized access to one of our systems.”
Doh!
Who or what is Quora?
Quora is a question and answer website where visitors can ask questions about almost anything, and receive answers from other visitors.
It has gained a reputation for the quality of answers posted, resulting in a staggering 300 million unique users each month. To put this into perspective, Twitter boasts 326 million active users each month.
Questions (and corresponding answers) range from love advice and encryption details, to recipe suggestions, and covers pretty much the entire range of human experience.
Visitors to the website are firmly pushed towards registering, using either their social media accounts or via direct sign-up. This is not required, however, and visitors can opt to ask and answer questions anonymously.
Who is responsible?
The culprit is unknown, although Quora’s internal security teams are investigating the matter. Quora has also “hired a leading digital forensics and security firm to assist us." In addition to this, it has reported the matter to the police.
How did it happen?
Investigations are ongoing, but although it has not released any details, D’Angelo said that “we believe we’ve identified the root cause and taken steps to address the issue."
Who is affected?
As the headline to this article suggests, around 100 million registered Quora users are affected. Thankfully, Quora does not collect or store any information about anonymous contributors, so anonymous users are unaffected by the breach.
Although almost as popular as Twitter on paper, Quora has not had the same cultural impact. The result is that many people may have a Quora account that they completely forgotten about. This is particularly dangerous if you re-use login details across multiple websites.
What data was stolen?
The hackers stole all data relating to registered accounts. This includes full account details, such as name, email address, and data imported from linked social media accounts such as Facebook and Google.
It also includes any questions, answers, comments, and upvotes made publicly on the website, plus content and actions not made public, such as answer requests, downvotes, and direct messages.
Passwords were stolen, but in hashed form. This poses the $64 million question: which hash function was used?
A hash function is a mathematical formula that can be used to encrypt data such as passwords. The problem is that some hashes are a lot more secure than others. MD5 with no salt, for example, is not very secure at all. bcrypt is much more secure, although it might still be possible to crack individual password hashes secured with it.
Quora has not elaborated on the hash function it used to secure passwords.
What is Quora doing to protect its users?
Quora has logged all users who might be affected out of their accounts and invalidated all passwords that are used to secure accounts. Affected users have, or soon will, be notified by Quora about the situation.
What can you do to protect yourself?
As already noted, the biggest danger with this breach is hackers obtaining passwords that are used across multiple websites.
This happens far too often, because usually we are terrible at remembering even one truly secure password (using a long string of mixed alphanumeric characters) let alone one for each website we use.
Fortunately, technology has the answer! A password manager, well, generate strong passwords for every website you visit, and will usually sync across all your devices to ensure they are always available for you.
Any password manager app or services is better than none at all, but we favor open source solutions such as KeePass and Bitwarden.
Another way you can stop hackers is to use a VPN. This will stop hackers from accessing your data when you're using public WiFi, for more information see our best VPN article.
Conclusion
There are two takeaways from this. The first is that any data stored on a central server can be hacked, and secondly any company or government that says otherwise is being worryingly economical with the truth.
The second is to use a password manager!
Image credit: By chrisdorney/Shutterstock.