Question and answer website Quora has suffered a data breach affecting more than 100 million of its users, prompting cybersecurity experts to comment that the Quora hack shows how no sector is safe from cyberattacks.
Registered members received an email in the early hours of Tuesday morning notifying them that “some user data was compromised as a result of unauthorised access to our systems by a malicious third party”.
The compromised data includes account names, email and IP addresses, user ID, encrypted passwords, user account settings and personalisation data.
Data linked to other networks, such as Facebook, was also accessed. This includes contacts, demographic information and interests.
Access tokens were also compromised but they have since been invalidated.
Quora discovered the breach on Friday and is now investigating. The website believes to have identified the “root cause” and has “taken steps to address the issue”. The company has notified law enforcement.
Draft questions, answers, comments and blog posts were also affected.
However, anonymously written questions and answers were not impacted by the breach because Quora’s policy does not allow the identity of those posting anonymously to be stored.
Quora hack is latest in a long line of data breaches
The Quora hack closely follows Friday’s Marriott hotel breach, in which half a billion users had their data compromised. This year, there have been countless other high-profile breaches, such as the one that hit Facebook in October and the Dixons Carphone Warehouse breach in June.
And those in the cybersecurity industry don’t expect the rate of attacks to slow, either.
“We will continue to see events such as this and it should be a reminder that companies need to take all possible steps to protect themselves from cyberattacks,” said Malcolm Taylor, director of cyber advisory at ITC Secure.
Taylor added that the Quora hack shows that no sector is safe from cyber threats.
“Even two years ago, attacks typically hit certain sectors, often banks and financial services.
“That was perhaps only perception then, but now we definitely see companies in all sectors suffering serious incidents. Attackers typically don’t care who they hit – these attacks are how they make their living.
“Pretty much every piece of data has a value online – which is precisely why companies should be protecting it.”
Sam Curry, chief security officer at Cybereason, said that it’s “time again to sound the alarms in an attempt to change the mindset in boardrooms around the world”.
“Today, the potential attack surface that corporations have to protect is a lot bigger and wider than it was just a few years ago, and this plays right into the hands of hackers.
“It is through persistence and patience that most adversaries are successful – try and try again until you are successful. This leaves corporations with the responsibility to implement a new offensive mindset and to very specifically take the fight to the adversaries, putting them on the defensive.
“Something has to change, because a hacker only needs to be right once to successfully compromise a corporation, while the defenders have to be right 100% of the time to avoid making headlines for the wrong reasons.”
Quora hack highlights importance of password hygiene
CEO of Password management firm Dashlane, Emmanuel Schalit, recommends that users change their passwords immediately on Quora and on any social media accounts that were linked to their profile.
“Each of your online accounts should have a unique, complex password – this is especially true of accounts that contain sensitive personal information like social media accounts.
“You may not be able to control the security architecture of the digital services you use every day and that hold so much of your data, but you can take measures to make sure you have optimal password hygiene.”
He advised against using the same password for online accounts, despite the convenience it provides.
“We then bury our heads in the sand and think that everything is fine; until we receive an email from Quora or Facebook or Marriot saying our account details have been compromised.
“You never know when your accounts may have been exposed and your information vulnerable – it’s important to remember that password hygiene is not just for breaches.”