Quora is the latest company to revealed that sensitive has been breached from their systems. Approximately 100m users are impacted and the data compromised includes:
- Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
- Public content and actions, e.g. questions, answers, comments, upvotes
- Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)
Quora is informing affected users (subject line should be ‘Quora Security Update’) and logging users out of their accounts as well as invalidating their passwords (requiring a reset). Fortunately in this case no payment details have been accessed (as there are none to access). I’ll continue to say it but until the penalties for these types of data breaches are increased, they will continue to happen. It’s clear that corporations aren’t investing adequate resources into information security and users are the ones to suffer as a result.
If I were a hacker, I’d just go for Acorn or Dosh and get access to bank account info including login/passwords. Seems to be low hanging fruit
I am dreading the day when Google has a data-breach.
Who says they haven’t?
Maybe I should create an account and ask on Quora what the impact of this will be…
LMAO
i dont understand the point of having encrypted passwords if hackers can get past that too. meaning all passwords on their site are now visible to the hackers
Quora did the right things here, having passwords both salted & hashed. Even with a dictionary attack, passwords shouldn’t be compromised.
i am saying this because i am a member and in the email they say that passwords were affecte. “The following information of yours may have been compromised:
Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data…….
We’ve included more detailed information about more specific questions you may have in our help center, which you can find here.
While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.
It’s good that they’re telling people to be overly cautious, just in case the salt was compromised too thus allowing a dictionary attack, but your password *should* be ok in this breach. That isn’t always true, some past breaches have been of unsalted passwords.
Huh!? The salt is always compromised, the salt is stored with the hashed password, in sane password hashing functions like Bcrypt the salt is actually part of the ciphertext. The first couple characters in a Bcrypt ciphertext is the version of the algorithm used the next several characters are the salt and the rest of it is the hash.
People are terrible with passwords and use garbage passwords that are easy to brute force so running a cracking program on a typical password database would yield the cleartext of most of the passwords used. That’s why they suggest changing your password.
Assuming the passwords were salted, hackers can only get the cleartext passwords from the ciphertext passwords with brute force. A password like “pancake1” is easy to brute force but a password like “M5vv*xrhMXW36wZBudrvI$70e2{“: is currently almost impossible to brute force with current hardware. To make it much more difficult to brute force the current standard is to run the hashing algorithm several times because you’d slow down the brute force.
If the passwords weren’t salted and only used one iteration of the hashing algorithm, it’s significantly easier to find cleartext passwords because a rainbow table lookup will work. A rainbow table is a precomputed list of hashes of common passwords.
Password cracking software (John The Ripper) is smarter than to try random combinations of letters+numbers first, it gets the low hanging fruit and tries English words and known password. You can download a list of known passwords that come from previous data breaches where the passwords were stored in cleartext.
Since people are terrible about passwords, usually running JtR on a site’s passwords for a couple days decrypts around 70% of passwords in the list.
So if the site enforced strong passwords, disallowed any common password or any password from a known used password, and used a strong password storing system that salts and does multiple iterations (Bcrypt is the current standard) then it would be very difficult to find out the cleartext passwords.
If you want me to explain something further or clarify just ask. 🙂 I work in the industry.
Thanks for your explanation, I’m only moderately tech savvy, but that was an understandable and useful explanation to something that’s eluded my understanding for a while.