Quora.com, a site where people ask and answer questions on a range of topics, said hackers breached its computer network and accessed a variety of potentially sensitive personal data for about 100 million users. Compromised information includes cryptographically protected passwords, full names, email addresses, data imported from linked networks, and a variety of non-public content and actions, including direct messages, answer requests and downvotes. The breached data also included public content and actions, such as questions, answers, comments, and upvotes.
Colin Bastable, CEO at Lucy Security:
“The bad news just keeps coming: Dark Web hackers now have access to data imported to Quora from linked networks; the passwords were probably decrypted over the weekend; names, email addresses and personal addresses are probably being cross-referenced against Marriott accounts right now.
Quora requires that people use their real names to register and doesn’t store the identities of people who post anonymous content; perhaps the most important message for consumers online is “stay anonymous” – because if you don’t have an account, you are less vulnerable.”
John Gunn, CMO at OneSpan:
“As breaches go, this is really relatively mild – no credit card information, no social security numbers, no passport data, just user names, passwords, and email addresses. Considering that there have already been countless breaches of passwords, and no responsible security professional protecting assets of value relies on them anymore, the l00 million Quora “victims” are really at no greater risk than they were before the breach.”
.
George Wrenn, CEO and Founder at CyberSaint:
This particular breach could mean more for the individual consumer who integrates the use of his or her social networks, uses the platform more often, and leaves more personal information on the platform than those who don’t. Only time will tell what the true impact of this breach is as the company investigates further. The recommendation I would make to all organizations maintaining data such as this is to align with and measure their NIST Cybersecurity Framework posture at a minimum, so that they are at least supporting best practices, and to add data privacy and protection measurement to their program as well for the sake of users.”
Anthony James, CMO at CipherCloud:
“At 100 million records the Quora breach likely makes the unhappy list of top ten data breaches of all time. The top ten includes Yahoo! Twice (1 billion and 500 million), MySpace at 360 million, EBay at 145 million, Equifax at 143 million, Target at 110 million, LinkedIN at 100 million, and others.
Quora is not alone in finding that current perimeter defense and endpoint security strategy doesn’t work well anymore. Attackers will get into your cloud. New technology is available to ensure all of your cloud data is transparently encrypted before it is delivered to the cloud application (zero trust encryption), so that at any unauthorized entry point to your cloud data renders the attackers access futile. This gives you the time you need to detect these cyberthieves, shut down the attack, and resume normal operations with confidence. If the data is encrypted, and the data encryption keys are stored separately, by definition there is no breach as they cannot access the data.”
Ruchika Mishra, Director of Products and Solutions at Balbix:
“The news about Quora’s data breach comes one week after Dell announced a similar breach of its Dell.com online accounts. These breaches highlight how most enterprises today do not have adequate visibility into all vulnerabilities in their networks and infrastructure, and therefore cannot take proper actions to avoid breaches.
Quora has made statements to try and reassure affected users that the information exposed would unlikely lead to identity theft, since the company does not collect or store Social Security numbers or credit card information for its users. However, any breach of personal info is reason enough for users to be alarmed, and breaches like this can still significantly damage a company’s reputation. It’s not just about the data that was breached, it’s also a breach of trust.”
Jacob Serpa, Product Marketing Manager at Bitglass:
“At 100 million records, Quora’s breach is the one of the largest reported data breaches this year – it ranks behind those experienced by Under Armour (150 million records) and Marriott (500 million records). For companies like Quora that boast massive databases of customer information, brand reputation and user data security are intricately intertwined. Even if companies aren’t collecting the kind of information that can lead to credit fraud or identity theft, they must still prioritize security and take the proper steps to ensure that user data is protected. For example, they should adopt technologies and processes that deny unauthorized access to sensitive information, protect data at rest, and configure all systems and tools correctly.”
Carl Wright, Chief Commercial Officer at AttackIQ:
“A week barely passes without the disclosure of a significant breach these days. Companies should be learning from others’ mistakes before a similar breach happens to them. Executives and Board of Directors must evaluate how much of the IT budget is being allocated to security control validation and testing, especially since several U.S. states have passed legislation to expand data breach notification rules and penalties to mirror those of GDPR. Organizations need to continuously assess the viability of their security controls the same way adversaries do in order to protect against future events.”
Joseph Patanella, CEO at Trusted Knight:
“It seems barely a day passes now when a major company is not breached – and today it is the turn of website Quora, who have revealed that a staggering 100 million users have had their details stolen. The breached data includes email addresses, passwords – and most worryingly – data imported from linked networks, when authorized by users. This means that for many individuals, who would have used their Google or Facebook accounts to sign up to Quora, the criminals are likely to have an extensive amount of data readily available at their fingertips.
“Quora have reported that they are still investigating the breach, and have for the moment logged all of their users out, and forced accounts with a password to reset them. Quora said that stolen passwords were encrypted to prevent hackers from using them, but users should err on the side of caution and also reset passwords on their other accounts if they used the same one. People should also change their passwords for any networks that they had linked to Quora.
“Quora have responded quickly to the breach, but the point to be made is that the frequency to which companies are hacked now is simply unacceptable, and major changes need to be made. When will companies begin to take responsibility for protecting their customers’ data seriously? And actually do what needs to be done to protect their customers’ personal information? The time to address this is now.”
Irra Ariella Khi, CEO and Co-founder at VChain:
““This is a breach that will come as a shock to online services, and people who use them. Quora is a site where users post interesting questions and other members of the community answer. You mightn’t expect that there would be a lot of sensitive data at stake there, but evidently you would be wrong. Names, contact information, encrypted passwords, and any linked social media accounts have been exposed – as well as a lot of potentially personal information, as private interactions on the site were also accessible.
“This is a wake up call. Any site or service you volunteer your data to can be breached. These organisations – no matter how trivial the service they provide is – have a responsibility to protect your data.
“Yet, organisations across all industries continue to store personal data on centralised, vulnerable systems where it is just a matter of time before they are breached – and for some reason expect themselves to be different to the last company that was hacked. It’s imperative that cyber security and data management move towards privacy by design: using systems that are built from the outset to be secure, with privacy by design architecture built into the core of any sensitive data product.
“Look at how much damage can be caused by a Q&A site being hacked. Now think of all the airlines, shops, tech giants storing your data in exactly the same way. Organisations need to change the way they store and manage data, and fast.”
Andy Wright, Regional Director for Northern Europe at Checkpoint:
“Hackers are deliberately targeting companies and websites which hold massive amounts of customer data – as we’ve seen with the recent major attacks against airlines and hotel chains. While it is not known how Quora’s systems were breached, the attackers could have exploited any one of several vectors to get access. Organizations need to protect themselves against sophisticated fifth-generation threats which spread across networks, endpoints, mobiles and cloud services, and prevent them from being able to impact on their business.
“Luckily, there was no financial information associated with the exposed user data, and the stolen passwords were encrypted, but users should consider changing their passwords on other accounts if they have used the same password as for their Quora account. They should also be suspicious of emails claiming to be related to the Quora breach, as these could be phishing attempts to try and extract more sensitive information.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.