A breach at the question and answer website Quora has compromised the data of 100 million users.
Last Friday the company discovered an intrusion by a third party and has “already taken steps to contain the incident,” Quora said in an email to users obtained by SC Media.
Information that could have been compromised is account and user data, including names, email addresses, user IDs, encrypted passwords, account setting and other personalization data as well as public actions and content, data from linked networks and non-public actions such as down votes.
“All customer information is valuable to fraudsters. Name, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used,” said Ryan Wilk, vice president of customer success for NuData Security, a Mastercard company. “We must change the current equation of “breach = fraud” by changing how we think about online identity verification. We need to protect all customer data, but more importantly, we need to make it valueless.”
“Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content,” the email said.
The question-answer forum said its investigation is ongoing and, in the meantime, it is notifying those users whose data was compromised, logged them out and invalidated their passwords.
“Quora shared they are logging out all affected Quora users and invalidating their access if they use a password as their authentication method,” SecurityFirst President and CEO Jim Varner.
“As far as I can see, this is the only possible course of action with their current password-only protection,” Varner said.
Without additional information on the incident, security pros said, it’s impossible to determine how the intrusion came about.
“Stolen data and other scanty details currently available about the breach may indicate that the intrusion has occurred via one of Quora’s web applications,” said High-Tech Bridge CEO Ilia Kolochenko. “A second possibility is an attack against a trusted third party, such as one of their data processors” though “until full and detailed investigation is not completed, it is too early to make definitive conclusions.”
Pointing to the $12.5 billion class-action lawsuit filed the day after the Marriott data breach,” Kolochenko said, “Quora may also expect significant legal ramifications. The financial penalties they will be required to pay to authorities and damages in individual lawsuits/settlements will likely be economically bearable, nonetheless, the total amount can be huge.” Because the details and scope of the breach so far are not provided, victims are left “in ambiguity and darkness,” he said. “If the alleged information were indeed stolen, we shall expect a vague of password reuse attacks and various spear phishing campaigns targeting the victims.”
Since “many of the compromised accounts belong to users who haven’t been active for years they may not even remember that they have a Quora account,” Ben Johnson, co-founder and CTO at Obsidian Security. “The reality is, consumers’ online identities go back decades. One security related downside of data being so cheap to store is that long after users’ social habits shift away from a particular site, important parts of their digital identity remain in those databases. Reusing the same password puts sensitive data across all accounts at risk if a single breach occurs – even if it’s a service they haven’t used in years.”
The Quora intrusion is part of a growing issue for security teams. “Mounting evidence points at stolen credentials being involved in the vast majority of breaches, and there is no sign of this trend slowing down,” said Stephen Cox, vice president and chief security architect at SecureAuth. “Far too many organizations are relying on approaches that have simply been proven ineffective against modern attackers, and they must be careful to not develop a false sense of security even when they’ve adopted basic techniques such as two-factor authentication. These types of breaches will continue to proliferate unless organizations up their game for their employees and their customers.”