Data breaches and exposed data seem to be all the rage nowadays – almost no day passes by without another leak. Cathay Pacific, British Airways, Marriott, and of course Facebook are just a few of this year’s breaches. If you thought that you’d get a break until next year though, you are sorely mistaken: Today another breach was revealed – Quora.
Quora is a question-and-answer-website. That means that anyone can ask questions and give answers to questions that one knows the answer to – and if you are really lucky your question might even get answered by some prominent user like Obama, Stephen Fry, or Gillian Anderson. The page itself wants the user to either login with their Google or Facebook accounts (we know by now that the latter is a bad idea, right?), or create a new profile with his or her real name.
While this helps to give answers credibility it’s not so great anymore when the page gets hacked and data exposed and stolen. This is what happened now: According to Quora the data of 100 million users has been stolen.
What information was compromised?
For approximately 100 million Quora users, the following information may have been compromised:
- Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
- Public content and actions, e.g. questions, answers, comments, upvotes
- Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)
While the last two points are really mostly only relevant for Quora itself – except perhaps the direct private messages – the name, mail addresses and passwords are what you definitely don’t want to get out.
As of now there is no information available on how Quora was breached. Affected users have been informed via mail and passwords were reset.
Change your passwords – NOW!
While the stolen passwords were encrypted it is still a lot safer to change your passwords if you were amongst the affected users and use the same password for several of your accounts. Here are a couple of tips you may want to follow:
- Use a unique password for each of your accounts. When a website gets hacked one of the first things bad guys do is checking out if your username/email address/password combination works on other (high-profile) pages.
- Your password should consist of at least twelve characters – the more the better. It should include upper- and lower-cases, numbers, and special characters.
- Try and create passwords that can’t be found in a dictionary. Hackers nowadays have programs that cycle through dictionaries to check if they can access your account.
- Don’t use character strings like 12345, abcde, qweertyui, etc.
- Use passwords that can’t be associated with you: Your dog’s name, birthday dates of family members or yourself or your favorite sport are a not a good idea.
- Change your password regularly – especially when it comes to your email and online banking/online payment accounts.
- Don’t write down your passwords and never ever share them.
If you have trouble coming up with a good, strong, and complex enough password you can always use a good Password Manager to help you out.