Staple yourself for another huge violations of data. Quora.com, a site where people ask and answer questions about a number…
Staple yourself for another huge violations of data. Quora.com, a site where people ask and answer questions about a number of topics, said hackers have broken their computer network and accessed a host of potentially sensitive personal data for about 1
00 million users.
Compromise information includes cryptographically protected passwords, full names, email addresses, data imported from linked networks and a variety of non-public content and actions, including instant messaging, response requests and downvotes. The violated data also included public content and actions, such as questions, answers, comments, and layouts. In a post published on Monday afternoon, Quora officials said they discovered unauthorized access on Friday. They have then hired a digital forensic and security agency to investigate and report crime against law enforcement officials.
“It is our responsibility to ensure that things like this do not happen and we failed to fulfill that responsibility,” Quora CEO Adam D & Angelo wrote in Monday’s post. “We realize that in order to maintain user confidence, we must work very hard to make sure it does not happen again.”
The service has logged out all affected users and if they use passwords to authenticate, old passwords have been canceled. Users who chose the same password to protect accounts on another service should immediately reset these passwords as well. Quora has already started sending email to affected users.
“We believe we have identified the reason and taken action to solve the problem, even though our investigation is underway, and we continue to make security improvements,” said Monday’s post. “We will continue to work both internally and with our external experts to get a complete understanding of what happened and take further action as needed. “
The hackers could not access questions and answers written anonymously because Quora does not. Keep the identity of individuals who submit anonymous content. The decision to do not bind anonymous content to the identity of those sending it is a smart one that protects the identity of many people who discussed sensitive personal issues. But it will do less to protect people who, despite a Quorum policy, may have used a pseudonym as their account name or who discussed sensitive issues in instant messaging.
A less useful decision by Quora: The company did not prepare the format for the stolen password data except to say it was “encrypted”, which means that it probably means that the passwords were sent through a one-way hash feature. The specific hash function is large. If it is one that uses fewer than 10,000 iterations of a fast algorithm like MD5 without cryptographic salt, hackers using the hard disk and publicly available dictionaries can break as many as 80 percent of the password flow in a day or two. However, a function like bcrypt can prevent a large percentage of hash ever being converted into plain text.
Quora’s post is just the latest disclosure of a major crime. On Friday, the hotel chain Marriott International said a system violation allowed hackers to steal passports, credit card data and other details for 500 million customers. In September, Facebook reported an attack on its network that hackers could steal personal data for as many as 50 million users. The social network later lowered the number of accounts that hit about 30 million.
Readers are reminded once about using a long and complex password that is unique to each site, preferably using a password manager. When multi-factor authentication is available, that protection should also be used.