Quora, one of the largest Q&A internet portals, said hackers breached its servers and obtained information of about 100 million users, almost half of the its entire customer base.
The Mountain View, Calif. company Quora said it is still investigating the incident, which it discovered last Friday. Possibly compromised information includes encrypted passwords, names, email addresses, data imported from linked networks, and an assortment of public and non-public content and actions.
“The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious,” Adam D’Angelo, Quora CEO, said. “Questions and answers that were written anonymously are not affected by this breach,” he added.
Quora said in a later statement, “It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or social security numbers.”
What are some possible ramifications of this latest massive exposure of information?
Colin Bastable, CEO of Austin, Texas-based cybersecurity prevention firm Lucy Security, said: “The bad news just keeps coming: Dark Web hackers now have access to data imported to Quora from linked networks; the passwords were probably decrypted over the weekend; names, email addresses and personal addresses are probably being cross-referenced against Marriott accounts right now.” Bastable added, “Perhaps the most important message for consumers online is ‘stay anonymous’ – because if you don’t have an account, you are less vulnerable.”
According to John Gunn, chief marketing officer of Chicago-based OneSpan: “As breaches go, this is relatively mild – no credit card information, no social security numbers, no passport data, just user names, passwords, and email addresses. Considering that there have already been countless breaches of passwords, and no responsible security professional protecting assets of value relies on them anymore, the 100 million Quora victims are really at no greater risk than before the breach.”
This breach could mean more for consumers who integrate their uses of social networks, and use and leave more personal information on the platform than those who don’t, George Wrenn, CEO and Founder, Burlington, Mass.-based CyberSaint, observed. “The recommendation I would make to all organizations maintaining data such as this is to align with and measure their NIST Cybersecurity Framework posture at a minimum, so that they are at least supporting best practices, and to add data privacy and protection measurement to their program as well for the sake of users.”
Ruchika Mishra, director of products and solutions, Balbix, said, “The news about Quora’s data breach comes one week after Dell announced a similar breach of its Dell.com online accounts. These breaches highlight how most enterprises today do not have adequate visibility into all vulnerabilities in their networks and infrastructure, and therefore cannot take proper actions to avoid breaches.” Mishra added, any breaches like this can significantly damage a company’s reputation.
“Quora’s breach is the one of the largest reported data breaches this year,” Jacob Serpa, product marketing manager, at Campbell, Calif.-based Bitglass, indicated. He also mentioned the intricately intertwined connection for companies like Quora that boast massive databases of customer information with brand reputation and user data security. “Even if companies aren’t collecting the kind of information that can lead to credit fraud or identity theft, they must still prioritize security and take the proper steps to ensure that user data is protected.”
“A week barely passes without the disclosure of a significant breach these days. Companies should be learning from others’ mistakes before a similar breach happens to them,” Carl Wright, chief commercial officer, San Diego’s AttackIQ, said. He added company leadership must evaluate their allocated budget dollars toward security control validation and testing, especially since several U.S. states have passed legislation to expand data breach notification rules and penalties to mirror those of GDPR.
Anthony James, CMO of CipherCloud noted at 100 million records the Quora breach likely makes the unhappy list of top ten data breaches of all time. “Quora is not alone in finding that current perimeter defense and endpoint security strategy doesn’t work well anymore. Attackers will get into your cloud.” James underscored the availability of new technology to transparently encrypt all data before delivery to the cloud application (zero trust encryption). “So that at any unauthorized entry point to your cloud data renders the attacker’s access futile.
Ruby Gonzalez, head of communications at NordVPN, said “This year has once again proved that even giant companies are not doing enough to secure sensitive user data.” He noted in September, the exposure of personal details of about 50 million Facebook users and Marriott, the world’s biggest hotel chain, confirmed the breach of data for half a billion guests. “We urge all Internet users to share as little as possible online and to use a VPN to encrypt their online activities.”
Originally posted on cutimes.com.
