It may be time to change your passwords again. The question-answer website Quora has announced that a “malicious third party” had hacked one of its systems. The company is now “rapidly investigating” the breach.
What’s clear is that both private information – including account information like names, email addresses and encrypted passwords along with non-public content and interactions – and public site postings and interactions from some of Quora’s more than 100 million users were accessed.
This is just “approximate information” that indicates users who “may have” been affected, explained Sean Sullivan, F-Secure Security Advisor.
“I’m sure more precise details will follow soon. It’s important to get out a notification early because of the passwords that need to be changed,” he added. “But the other general details are probably there due to GDPR considerations.”
Quora said that it will continue update affected users through email.
You’ve probably used Quora so don’t delay
There’s a decent chance you’re a member of the site, even if you don’t remember using it. The service was founded by two Facebook employees and is closely integrated with the world’s largest social network through quizzes. You can read the company’s FAQ on the hack here.
If you are a member of Quora, you should obviously change your password now, if you haven’t already. Or you could just delete your Quora account.
With Quora hacked, are you vulnerable?
“This case is yet another example as to why it is critical not to use the same password across multiple services,” Sean said. “Users who used either Google or Facebook to login may wish to revoke access from those platforms if they are no longer active users of Quora.”
Though the advice to use unique, strong passwords for every site has been around for decades, the world’s most popular passwords are still ‘123456’, ‘password’, ‘123456789’, ‘12345678’, ‘12345’ and ‘qwerty’, according to independent research from Ben Berkowitz of MWR Infosecurity, an F-Secure company.
This is why many cyber security experts use and recommend password managers, which make diversifying your credentials and changing them after a breach much easier. F-Secure’s Protection Service for Business includes password protection and F-Secure KEY was added to F-Secure TOTAL earlier this year.
Here’s a simple explanation on how to get started with a password manager now.
Everyone needs to assume the next breach is coming
This is the second major breach disclosed by a major company in less than a week. While the Quora hack is huge, it is only about a fifth of the size of the breach recently disclosed by Marriott, which may have also included credit card information.
“Companies should assume a breach and with that assume that their database of valuable information can be stolen by an attacker,” Tom Van de Wiele, Principal Security Consultant at F-Secure said after that breach, advising companies to pursue defense-in-depth against inevitable attacks.
But that advice also needs to be understood by consumers.
Your passwords and account data will eventually be compromised. The question is when that happens will the criminals gain access to just that one account – or all of the accounts you’ve secured with that same login information.