Quora Hacked: What Happened, What Data Was Stolen And What Do 100 Million Users Need To Do Next?

Home Tech Quora Hacked: What Happened, What Data Was Stolen And What Do 100 Million Users Need To Do Next?

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India

Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Forbes

Like 100 million other Quora users, I awoke this morning to find an ominous email waiting for me that began: “We are writing to let you know that we recently discovered that some user data was compromised as a result of unauthorized access to our systems by a malicious third party.” Hot on the heels of the Marriott International hotel group breach that impacted half a billion users, the question and answer site has confirmed that its systems have been hacked leaving account and user information potentially compromised.

While it is currently unknown how the breach happened, Quora says the intrusion was only discovered on Friday November 30th, it does know the user data that has been compromised. This includes names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content (including drafts) such as questions, answers, comments, blog posts and upvotes. Oh, and data that has been imported from linked networks such as contacts, demographic information, interests and (now invalidated) access tokens. If you are a Quora user who contributed to the systems anonymously then your data will not have been impacted simply because that it does not store identity data of anonymous posters. It’s worth noting that the passwords that have been compromised were encrypted and hashed with a salt that will vary from user to user.

The disclosure email contains the usual, and frankly by this point pretty meaningless, apologies for any “concern or inconvenience this may cause” as well as the promises that everyone is working hard to investigate and take steps to prevent it happening again. I am led to understand that the investigation is being carried out by the internal Quora security team as well as a third party digital forensics company. Law enforcement has, of course, also been informed. As for the steps being taken, these include the disclosure notification that has already started hitting inboxes around the world and a forced password reset for all users, who will also have been logged out of the system now. Although Quora is not making any public statements with further detail at this point in time, it does say that it has “identified the root cause” of the breach and has “taken steps to address the issue.”

So, where does this leave you as a concerned Quora user? First and foremost there is an official Quora question and answer session, oh the irony, that can be found here. This confirms that all 100 million impacted users will be notified by email, so if you don’t get one then you are likely OK. That said, you should still reset your password as a matter of course whether Quora has invalidated it or not in my never humble opinion. You can do this by visiting settings if not prompted to do so when trying to log in. Click on the ‘Change Password’ link and enter your current password which will then enable you to change it. I would also recommend that you change passwords at any other accounts that you have using the same one, a practice that is not be recommended and breaches such as this illustrate exactly why.

Of course, all this assumes you know what your account details are in the first place. Many users may have signed into Quora to get the answer to a question and once that was done never given the site a second thought. If you want to find, and delete, your Quora account then there’s plenty of hands-on advice here.

Like 100 million other Quora users, I awoke this morning to find an ominous email waiting for me that began: “We are writing to let you know that we recently discovered that some user data was compromised as a result of unauthorized access to our systems by a malicious third party.” Hot on the heels of the Marriott International hotel group breach that impacted half a billion users, the question and answer site has confirmed that its systems have been hacked leaving account and user information potentially compromised.

While it is currently unknown how the breach happened, Quora says the intrusion was only discovered on Friday November 30th, it does know the user data that has been compromised. This includes names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content (including drafts) such as questions, answers, comments, blog posts and upvotes. Oh, and data that has been imported from linked networks such as contacts, demographic information, interests and (now invalidated) access tokens. If you are a Quora user who contributed to the systems anonymously then your data will not have been impacted simply because that it does not store identity data of anonymous posters. It’s worth noting that the passwords that have been compromised were encrypted and hashed with a salt that will vary from user to user.

The disclosure email contains the usual, and frankly by this point pretty meaningless, apologies for any “concern or inconvenience this may cause” as well as the promises that everyone is working hard to investigate and take steps to prevent it happening again. I am led to understand that the investigation is being carried out by the internal Quora security team as well as a third party digital forensics company. Law enforcement has, of course, also been informed. As for the steps being taken, these include the disclosure notification that has already started hitting inboxes around the world and a forced password reset for all users, who will also have been logged out of the system now. Although Quora is not making any public statements with further detail at this point in time, it does say that it has “identified the root cause” of the breach and has “taken steps to address the issue.”

So, where does this leave you as a concerned Quora user? First and foremost there is an official Quora question and answer session, oh the irony, that can be found here. This confirms that all 100 million impacted users will be notified by email, so if you don’t get one then you are likely OK. That said, you should still reset your password as a matter of course whether Quora has invalidated it or not in my never humble opinion. You can do this by visiting settings if not prompted to do so when trying to log in. Click on the ‘Change Password’ link and enter your current password which will then enable you to change it. I would also recommend that you change passwords at any other accounts that you have using the same one, a practice that is not be recommended and breaches such as this illustrate exactly why.

Of course, all this assumes you know what your account details are in the first place. Many users may have signed into Quora to get the answer to a question and once that was done never given the site a second thought. If you want to find, and delete, your Quora account then there’s plenty of hands-on advice here.

This story is still breaking so I will endeavor to update this article as more information is forthcoming.

Update #1:

The security industry is starting to pitch in with a view on the Quora breach and the implications for those whose account data has been accessed. Here’s what people are saying early doors:

Leigh-Anne Galloway, the cybersecurity resilience lead at Positive Technologies, makes the point that “the data sets that have been exposed here are huge” and not just the usual user credential leakage but “also their social network accounts and potentially their private personal information that was posted on Quora.” Galloway recommends all organizations should now prepare for the worst and get ready to deal with an almost inevitable breach.

Matt Aldridge, senior solutions architect at Webroot, is more concerned about one particular data type that apparently was compromised: that which was imported from linked social media accounts. “Cyber attackers will use information gained from social media sites to target employees through highly personalized attacks such as spear phishing” Aldridge says, continuing “through these types of attacks, malicious actors will trick employees into handing over their usernames and passwords, allowing them access to the company’s network.”

Richard Walters, CTO at CensorNet, agrees about the linked networks data being of value. “If these details go up for sale on the dark web” he says “some enterprising hacker will start some highly targeted attacks with email addresses and, possibly through LinkedIn, places of work.” Walters is also spot on when he points out that it has come to something when we describe breach severity as not so bad simply because passwords were encrypted for example. “All passwords should be encrypted as standard and networks should routinely be monitored for any unauthorized access” he warns, adding “the fact that this isn’t happening in today’s environment where hacks are almost a certainty for businesses is concerning to say the least.”

Simon McCalla, CTO at Nominet gives credit to Quora as “they have reacted quickly to report and stem the damage from the leak. This would suggest their internal security measures are well monitored and well operated.” While he has a point, the breach was only discovered last Friday and the disclosure has been quicker than many, it has still taken four days for users to be informed that their personal data has been stolen. I appreciate that investigations have to be made and early, often inaccurate, the disclosure is as bad as a late one but I can’t help thinking this timeframe is still too long given the nature of the data potentially compromised here.

Meanwhile, Ilia Kolochenko, CEO at High-Tech Bridge suggests that the type of data stolen and some of the other scant detail about the breach “may indicate that the intrusion has occurred via one of Quora’s web applications” or alternatively “an attack against a trusted third party, such as one of their data processors.” While it’s a little early to be drawing any definitive conclusions regarding the breach methodology, truth be told, there is one firm conclusion that can be drawn: Quora should expect significant legal ramifications. “The financial penalties they will be required to pay to authorities and damages in individual lawsuits and settlements will likely be economically bearable” Kolochenko concludes “nonetheless, the total amount can be huge.”

Update #2:

Luis Corrons, a security evangelist at Avast, has put together some advice for anyone who might be concerned that their data has been compromised in order to survive the inevitable phishing storm that will follow given the nature of the data stolen.

Look at the sender’s address carefully. Those looking to deceive are usually the ones with an email address which has nothing to do with the company it is claiming to be. Phishing attacks are becoming harder to spot with attackers using new technologies to personalize emails using information that people share about themselves online.

Do not click, download, or reply. If the email seems to be coming from a person or institution you know but looks suspicious, do not click any links, download any attachments or reply to the email. Instead, type the URLs of any websites you’ve received directly into the browser and do not enter banking information into any website unless see you see word ‘Secure’ in the address bar.

Question all “too good to be true” offers. This is definitely the case when it comes to phishing emails. Make sure you have a strong antivirus installed that can detect and block phishing attacks before they cause any damage.

Question fear, too. Phishing attacks are just as likely to say that your account has been locked, there are charges that you didn’t make, or just that there’s been suspicious activity you need to check, all in a bid to get you to hand over personal details.

www.extremehacking.org

Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10,CHFI,ECSAv10,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India

The post Quora Hacked: What Happened, What Data Was Stolen And What Do 100 Million Users Need To Do Next? appeared first on Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan | Hackers Charity.

Leave a Reply

Your email address will not be published.