In what’s starting to feel like a weekly tradition, another popular service — Quora, this time — has indicated it has been the victim of a security breach that may have affected its users. As always, some mixture of your personal details (or login credentials) are potentially in the hands of people who shouldn’t have that information, and you’re going to want to take steps to secure your account and/or online life.
If you’ve ever made an account on Quora, here’s what you need to know:
What got hacked this time?
Quora sent out an email and posted a blog to provide more information about the recent security breach that affected its service. First, Quora wants you to know it is very sorry. (That doesn’t make dealing with this process any less annoying, but it’s always good to start with a strong apology.)
Second, this breach affected approximately 100 million Quora users. That’s roughly one-third of its active monthly user base, based on some of the figures floating around over the past few months. Third, Quora is actively investigating the breach, which it just discovered Friday, and here’s what it has found so far:
“For approximately 100 million Quora users, the following information may have been compromised:
Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorised by users
Public content and actions, e.g. questions, answers, comments, upvotes
Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)“
Quora attempts to downplay the password part of the breach, later commenting that “While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.”
You should be a bit more concerned, however. Quora doesn’t go into detail as to what kind of hash function it used to encrypt those passwords, and Ars Technica’s Dan Goodin notes this is a pretty critical omission. If Quora went with a simpler approach, those passwords aren’t that protected, as he describes:
“The specific hash function matters greatly. If it’s one that uses fewer than 10,000 iterations of a fast algorithm such as MD5 with no cryptographic salt, hackers using off-the-shelf hardware and publicly available word lists can crack as many as 80 per cent of the password hashes in a day or two. A function such as bcrypt, by contrast, can prevent a large percentage of hashes from ever being converted into plaintext.”
At least you can find solace in the fact that the breach didn’t affect any anonymous questions or answers you’ve posted to Quora. The site doesn’t appear to associate these with your account in any way.
What should you do next?
Quora is emailing those who have potentially been affected by the breach. But even if you don’t receive an email, situations like these are a great time to review your online security setup. For example:
Have you used the same password on Quora for other sites and services?
Stop doing that. I know, I know; I’ve done it, too. But given how easy it is to use a password-management tool to create long, complicated and—most importantly—unique passwords for each site and service you use, there’s no reason you should be using the same password across multiple sites. While getting serious about password creation won’t stop these breaches from happening, it’ll greatly mitigate their effects.
Do you use a two-factor or two-step authentication?
When someone tries to log in as you, a great site or service will warn you that it has detected a new login and you might want to do something about it if it isn’t actually you. An even better site or service will reach out to you for a secondary form of verification—a texted code, an authentication prompt, a number you read from a software or hardware token, et cetera — that you also have to enter in addition to your password to gain access. If you haven’t set up two-factor authentication for the various things you log into, find out if it’s an option. If it is, you’re only doing yourself a disservice by not using it.
Do you have a lot of dormant accounts?
I’m not a big Quora user. In fact, it’s been so long since I’ve asked or answered a question, I can’t even remember the last time I logged in. I have an account, however, and receiving the “you might be screwed” email reminded me of that fact.
While strong, unique passwords and two-factor authentication can do a lot to help you stay secure after your favourite website or service is invariably hacked, don’t forget about all the services you used to use and no longer visit. If you’re no longer visiting Quora (or Facebook, or Twitter, or whatever), go in and delete your account.
While there’s no guarantee that a future breach won’t dig up your old information, you have a stronger chance of preventing your information from leaking out when you get rid of accounts you no longer use.
Do you ignore a lot of email?
Quora first notified affected users via email, and it stands to reason that it’s going to use email to let users know about any additional information related to its big security breach. While we all get a ton of email, it’s worth setting up a filter for words like “security,” “account,” or “compromised”—to name a few—so you’re less likely to miss emails notifying you about the next big breach.