How to Protect Yourself After a Recent Quora Data Breach
Another popular service , this time Quora , has already started to seem like a weekly tradition. As always, some mixture of your personal data (or credentials) is potentially in the hands of people who should not have this information, and you will want to take steps to protect your account and / or online life.
If you’ve ever created an account on Quora, here’s what you need to know:
What was hacked this time?
Quora sent out an email and posted a blog to provide more information on a recent security breach that affected its service. First, Quora wants you to know that we’re sorry. (This doesn’t make the process any less annoying, but it’s always good to start with a big apology.)
Second, nearly 100 million Quora users were affected by this violation. That’s roughly a third of its active monthly user base, based on some data over the past few months. Third, Quora is actively investigating the violation that was discovered on Friday, and this is what has been discovered so far:
“Approximately 100 million Quora users may have been compromised with the following information:
- Account information such as name, email address, encrypted (hashed) password, data imported from linked networks when users authenticate.
- Public content and actions, such as questions, answers, comments, votes for
- Non-public content and actions such as replies to queries, negative votes, direct messages (note that a small percentage of Quora users have sent or received such messages) “
Quora tries to downplay the password portion of the cracking, later commenting that “although passwords were encrypted (hashed with a salt that varies for each user), it is generally recommended not to reuse the same password across multiple services, and we recommend people change their passwords if they do it. “
However, you should be a little more concerned. Quora did not go into details on what hash function it used to encrypt these passwords, and Dan Goodin of Ars Technica notes that this is a rather serious omission. If Quora had taken the simpler approach, these passwords would not be as secure as he describes:
“The specific hash function is of great importance. If it uses less than 10,000 iterations of a fast algorithm like MD5, with no cryptographic salt, hackers using off-the-shelf hardware and publicly available wordlists can crack up to 80 percent of password hashes in a day or two. … On the contrary, a function like bcrypt can prevent a large percentage of hashes from being converted to plain text. “
At the very least, you can take comfort in the fact that the violation did not affect any anonymous questions or answers you posted on Quora. It looks like the site does not link them to your account in any way.
What to do next?
Quora sends emails to those potentially affected by the hack. Even if you haven’t received an email, situations like this are a great time to check your network security settings. For instance:
Have you used the same Quora password for other sites and services?
Stop doing that. I know I know; I did that too. But given how easy it is to use a password management tool to create long, complex, and most importantly, unique passwords for every site and service you use, there is no reason you should use the same password across multiple sites. While taking password creation seriously will not stop these hacks, it will significantly mitigate their impact.
Are you using two-factor or two-step authentication?
When someone tries to log in as you, a great site or service will warn you that they have discovered a new login, and you might want to do something about it if it’s not really you. An even better site or service will ask you for an additional form of verification – a text code, an authentication request, a number you read from a software or hardware token, and so on – which you must also enter in addition to your password to access. If you haven’t set up two-factor authentication for the various things you go into, see if that’s possible. If so, then you are doing yourself a disservice by not using it.
Do you have a lot of inactive accounts?
I’m not a big Quora user. In fact, I haven’t asked or answered a question for so long that I can’t even remember the last time I logged in. However, I do have an account, and receiving the “You might be screwed up” email reminded me of that fact.
While strong, unique passwords and two-factor authentication can do a lot to help you stay safe after your favorite site or service is invariably hacked, don’t forget about all the services you used to use and never visit again. If you no longer visit Quora (or Facebook, or Twitter, or whatever), sign in and delete your account .
While there is no guarantee that a hack will not unearth your old information in the future, you have a better chance of preventing information leakage when you get rid of accounts you no longer use.
Are you ignoring a lot of emails?
Quora first notified the affected users via email, and it is logical to assume that it will use email to inform users of any additional information related to a serious security breach. While we all receive tons of emails, it’s worth setting up a filter for words like “security,” “account,” or “hacked,” just to name a few, so you’re less likely to miss out on next big email notifications. gap.