More than passwords: Quora breach highlights risks of third-party authentication
- On Monday, Q&A site Quora disclosed an intrusion that "may have" compromised data of approximately 100 million site users.
- Compromised information may have included account information, such as names, email addresses, encrypted passwords and linked network data; public activity; and private content and actions, such as direct messages, according to the blog post by co-founder and CEO Adam D'Angelo. The company is in the process of notifying impacted users and addressing the root problems that afforded access.
- Third-party access, discovered on Friday, is still under investigation by the company's security team and a digital forensics and security firm. Quora said it notified law enforcement of the security incident.
Internet users this week are asking Quora a different kind of question: "Was I compromised by your breach?"
Users who hadn't used or accessed a Quora account for years might have been surprised to find out that the breach impacted them. Forgotten accounts are a vulnerability for users' information security, especially if they reuse passwords across sites.
It is beneficial to have a regulation like GDPR with mandates that customers understand who has their data and what the data life cycle is, according to Matt Radolec, security architect manager at Varonis, in a statement provided to CIO Dive. A measure that protects consumers by mandating that websites delete user data if an account hasn't been accessed in, for example, five years could help mitigate this problem.
But regulators aren't likely to do anything in the wake of the Quora and Marriott breaches, according to Radolec. "There have been so many breaches in the U.S. where U.S. regulators have been silent," he said. "Bigger priorities I guess? Or maybe their priorities are with the businesses they might regulate."
With a lack of federal regulation to hold companies accountable, many states are taking the initiative to hold businesses accountable to frustrated consumers. Quora, as well as other companies that recently disclosed breaches, are lucky that the breach took place before the enactment of the California Consumer Privacy Act (CCPA).
Under CCPA, users can recover damages from a violation in the range of $100 to $750 per incident, according to Ruchika Mishra, director of products and solutions at Balbix, in a statement provided to CIO Dive. This could have put Quora on the line for class action lawsuits with damages in the billions of dollars.
Anonymous content on Quora is not tied to user identities and was not affected by the breach, according to the blog post. Most of the information compromised was already publicly available on the site, and affected users were logged out of their accounts, with passwords invalidated if used as the authentication method. Because Quora hasn't detailed how the attack happened or how data was being protected, questions of whether the company was at fault for the breach linger.
While the company did report and act on the incident in a timely manner, the compromise of consumer data is still serious and about more than just passwords, according to Mark Orlando, CTO of Cyber at Raytheon Intelligence, Information and Services, in a statement provided to CIO Dive.
Email addresses and phone numbers are important options for authentication, and actors that gained access to the information could be storing it in a database of records with other personal data, according Avivah Litan, VP and distinguished analyst at Gartner, in an interview with CIO Dive. Combined with other PII, banking or healthcare data, it could help build a digital persona of digital users.
The expectation of convenience online mean many users push security on the back burner, and this negligence can creep from personal computing to business networks. Social media authentication of sites is common and allows third party sites to collect data about a user; this information is a valuable store of PII for hackers to target.
"In the rush to gain access, many users don't pay attention to what information sites will get access to as part of the authentication process," Orlando said. "Keeping these sites and services separate is the best way to limit the impact of these kinds of breaches.”
Besides account information, the breach potentially compromised direct messages between Quora customers. Althought these messages may not contain clear PII, such as birth dates, or passwords, they could help actors glean more information about an individual. These messages could be run through a text and language processor to find valuable information about users, such as likes and dislikes, according to Litan, and new data opens the doorway for new ways to manipulate people.
Just days on the heels of the Marriott breach, the Quora incident shows that, although people get wrapped up in other news, breaches aren't passé, she said. The lack of strong enough incentives mean companies aren't spending enough on security, and regulators like the Federal Trade Commission aren't handing down serious penalties.
"We're asleep at the wheel," she said. "They get away with it, nothing is stepping in. In the U.S., nothing has changed really since the Equifax breach."
Like the recent Dell and Marriott breaches, the Quora incident is a reminder that breaches are inevitable, and discovering and reacting effectively to security incidents matters most for protecting consumers and the company, according to Stephan Chenette, co-founder and CTO of AttackIQ. Testing internal security capabilities, from detection to response, is crucial for transparency to stakeholders to minimize the impact.
Correction: The titles of Mark Orlando, CTO of Cyber at Raytheon Intelligence, Information and Services, and Stephan Chenette, co-founder and CTO of AttackIQ, have been updated for clarity.
Correction: An earlier version of this article said the CCPA would go into effect in Jan. 2019. It has been updated to reflect that it will take effect in Jan. 2020.
Follow Alex Hickey on Twitter