This week has been littered with data breach news and sometimes the only reaction one has is a big sigh, when another one is disclosed. The question and answer site, Quora announced a data breach that affected as many as 100 million users. And before you just toss this aside because you’re thinking “Hey, I don’t have a Quora account, so this doesn’t matter,” well…it just might. You see, many users may have accounts they didn’t know they had, so read on.
Quora allows users to post as a named user or anonymous user. The named users are the ones that really have to worry. However, if you have a Facebook or Google account and used those to sign into to Quora, anonymously or not, you may also have been part of this breach. Particularly with Facebook too, those fun little quizzes that pop up now and then may have been attached to Quora, unbeknownst to the quiz takers. That means, you may indeed have an account at Quora and not have known…until now.
So, first regardless of whether or not you received any notification from Quora, change your password to that site. Make it unique to that site only! Don’t skimp on this. It’s also a great example of why you need unique passwords. If you have used the same password as on Quora for another site, you now need to go change those too. Password reuse is real. There are tools that allow the bad actors to perform credential stuffing using login information on many sites, in a short period of time. It is important to use unique login credentials for every single site.
Use strong passwords too. Don’t think it’s OK to get lazy here either. The number one password every year is “123456” or some derivation of it. In the top ten for 2017 is “football.” So don’t use that either. The password crackers already know about these and you can bet they are at the top of the list of passwords for them to try when they are performing these credential stuffing attacks. Make them at least eight characters, include a number, a special character such as the “!” or “$,” and upper and lowercase letters. Just make sure not to click links in any email messages you may receive to change your password. Go into your account and do this. Change your password no matter if you are specifically included in the 100 million or not.
Another problem is for those who logged in a long time ago for a single answer, then never visited that site again. They may not even remember, until you get a notification from Quora or you remember seeing other email messages from the company. Luckily, you can also delete your Quora account altogether. You can find it under the privacy settings. It may take them a while to delete it, but you definitely can do it. You should delete all accounts you no longer use.
Quora is blaming this on a “malicious third party.” Other than that vague statement, we also know they discovered it on November 30. Information that was accessed includes, but is not limited to users’ names, email addresses, passwords, user account settings, IP addresses, and data from any connected social networks, potentially including information of the social media contacts. Use caution when linking online accounts, especially to social media. Also, really take a few moments to consider if you really want to take that Facebook quiz. As we have seen with the Cambridge Analytica incident, perhaps it really isn’t that important to know which pop star or Disney villain, you most resemble.