Quora hacked – 100 Million accounts compromised – what you need to know

The massively popular Q&A site has been comprehensively hacked. As ever, change your password and if you’ve used that one anywhere else, change those too. Sharing passwords between sites is a bad idea, we wrote about this in our Silent Nights Advent Calendar this year. Read more about the incident here.

 

The hackers have also made off with data imported from any social media platform linked to the account for the purposes of authentication or sharing. We had a look this morning at the data shared when you connect an account. Note these are current as of today, connections made in the past may have shared different data.

Facebook

Facebook is sharing quite a bit of information here, although you can restrict it. This breach is a good reason why one would want to restrict the information shared with third parties. By default they’re collecting:

  • Public Profile (mandatory)
  • Date of birth
  • Home town
  • Current city
  • Email address

Interestingly when you connect the account inside Quora it doesn’t ask for that extra information. I’m sure Quora doesn’t need to know the optional stuff to facilitate a login.

Google

Google is only used for authentication and they only hand over a few pieces of public information

  • Name
  • Email Address
  • Profile Picture

Once logged in, Google doesn’t appear to be used for anything else and is not available to connect in Settings

Twitter

Twitter will hand over the following data and it appears that this is all mandatory

  • Tweets from timeline (including protected tweets that are not otherwise visible publicly)
  • People you follow (publicly available anyway)
  • Email address

Twitter is only used for content sharing but it will hand over quite a bit of data when you link it to Quora. We don’t know exactly how much data Quora has downloaded but assuming they’ve pulled your email address, which is not publicly available on a Twitter profile, this could now be linked with the address you used in Quora. It’s unlikely that a hacker will make direct use of this but if the leaked Quora data is released on the Dark Web it could be of interest to other people if your Twitter account is an alias.

LinkedIn

Like Twitter, LinkedIn is only used for sharing content and it shares some basic public information.

  • Name
  • Photo
  • Headline
  • Current Positions

Should I be worried?

Probably not although if you have linked a sensitive Twitter account to your Quora account or vice-versa you might be concerned that the link will become clear, or protected tweets revealed, if the data is dumped anywhere. For everyone else, it’s really just public information that Quora are most likely using for data analytics.

 

It’s a timely reminder to be careful with whom you link to Facebook and Google for authentication as data will pass out of their systems into the new account you’ve just created. If you’re concerned, use the email login method, use a strong password unique to that site and use a [password manager] to deal with the complexity of remembering them all.

 

If you want more information or advice on keeping secure online, then contact our craftsmen today.

Leave a Reply

Your email address will not be published. Required fields are marked *