Quora Mega-Breach Could Open Users To Targeted Scams

The hack exposed personal data on 100 million users, as well as information from linked accounts such as Google, Facebook and LinkedIn

Security industry figures have warned that Quora users affected by the site’s mega-breach this week could be hit by targeted scams, due to the detailed personal information that may have been compromised.

Quora, founded by two former Facebook staffers, is a popular forum on which users can exchange questions and answers on a variety of topics, including via messages posted anonymously.

The site said this week that about 100 million users were affected by a breach that compromised names, email addresses and encrypted passwords.

Hackers also accessed information from other networks, such as Facebook, Twitter or LinkedIn, if users signed in via those networks, Quora said, specifying that the site receives “certain profile and account information” from linked networks.

Personal information

Quora said direct messages sent from one user to another may have been affected by the breach, but said that anonymous mesages were not.

One security expert said the involvement of linked networks could allow hackers to launch targeted scams against users.

“Users need to now be vigilant of phishing attacks as there’s a good chance that, if these details go up for sale on the dark web, some enterprising hacker will start some highly targeted attacks with email addresses and, possibly through LinkedIn, places of work,” said Richard Walters, chief technology officer of UK-based computer security firm CensorNet.

“The data sets that have been exposed here are huge – not just leaking the usual user credentials but also their social network accounts and potentially their private personal information that was posted on Quora,” said Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies.

Password encryption

Quora said it was logging out all users who may have been affected to prevent further damage, and advised users to change their passwords if they reused them across Quora and elsewhere.

The company said it had notified law enforcement and was in the process of notifying those users who were affected.

“While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so,” Quora said in a statement.

Several security researchers noted that the encryption used by Quora to protect the stored passwords should limit damage, but noted that such practices are far from being industry standard.

“All passwords should be encrypted as standard and networks should routinely be monitored for any unauthorised access,” said CensorNet’s Walters. “The fact that this isn’t happening in today’s environment, where hacks are almost a certainty for businesses, is concerning to say the least.”