To coronate the year, we have had two massive data breaches – the Quora (quora.com) and Marriott (or Starwood, to be more precise) breaches.
Quora, the California-based Q&A giant, has reported a breach affecting 100 million of its users.
Meanwhile, Marriott have been warning their customers of an old and entrenched security breach, which may have resulted in up to 500 million hotel reservations being siphoned off.
Today we look at these two “incidents” – if you can give such an innocent name to something so huge – and tell you all there is to know about them.
What questions about you has Quora answered?
The Quora data breach was noticed on Friday, November 30, and the company announced it to the public yesterday – December 4. That puts them more or less within the timeframe dictated by the European General Data Protection Regulation (GDPR), which obliges companies to report such breaches to authorities within 72 hours. We mention this detail to bring at least a glint of positivity into the Quora hack story, which goes downhill from here.
The Quora data breach was perpetrated by a “malicious third party,” who had gained access to the company’s systems. Although Quora is reportedly still investigating the causes of this breach, the company believes it has already “identified the root cause,” and enacted some measures to fix the issue. This means that while caution is still in order, a repeat of the same security breach is unlikely.
As mentioned, the Quora breach could have affected up to 100 million users, which, according to a statement from the company, does not constitute their entire user base. With that said, the actual number of accounts on Quora is unclear and some estimate that 100 mln sounds like a reasonable number. In addition, not all users were affected to the same extent.
What data has the Quora hack compromised?
Q: What might the Quora hack have told about you?
Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
A: Quite a bit.
Malpractice at Starwood
The people screaming “I hate Quora” are not wrong but wait ‘til you hear this.
On Friday, November 30, Marriott began warning their clients about a breach of its Starwood hotel reservations database, which they had known about since September 12. Right off the bat, this seems to stand in violation of GDPR requirements and Marriott can get a huge fine as a result.
That’s only half the issue. The other (worse) half is that this Marriott reservations database breach may have actually happened as far back as 2014. It was only noticed this year. That’s a lot of time for customer information to leak, for social engineers to commit all manner of fraud with it, etc.
Let’s get to the root of the issue – who and what is affected? Firstly, we should note that clients of Marriott brand hotels are probably not affected because these reservations are held in a different database. The “Marriott breach” is actually the Starwood breach.
For those not in the know, Starwood is a Marriott-owned hotel chain – the largest in the whole world. It covers 11 brands (Sheraton, W Hotels, Regis, etc.) and over a thousand hotels. In other words, the fact it’s not the Marriott reservations database that was compromised makes it no less of a big deal.
What data has the Marriott breach compromised?
So here’s what information is on these hotel reservations, potentially stolen in the Marriott data breach:
Names, phone numbers, addresses, dates of birth, gender information, email addresses, passport numbers, arrival/departure info, the reservation date, and some other details.
Perhaps more alarmingly, some of the records would have contained encrypted credit card data and perhaps the key needed to decrypt them.
Just think what a smart criminal could do with all that information!
The issue doesn’t end there because the way Marriott has tried to deal with the situation has only caused more problems. For example, the email sent to clients came from the domain “email-marriott.com.” Now that, my friends, is phishy. Such practices create further opportunities for fraud and are a reflection of how bad Marriott is at crisis control.
What should you do?
Firstly, if you haven’t done so already, check whether your email password has been compromised. You can do so by going here and entering your email address.
Secondly, if you had an account on Quora.com and think you may have been compromised by the Quora data breach – change your passwords. Especially if you were using the same password for several different services. Quora gives users the opportunity to login using their Facebook or Google accounts, which is why you should probably change the passwords of these accounts in particular (if you have used them to log into Quora).
As for those who have stayed at a Starwood hotel: there’s not much you can do. Much of the data hackers have gained access to is “real world data,” such as your address or telephone number. Since it’s likely that they also have your email address, you should make sure your email password is as strong as Thor.
Lastly, beware of phishing attacks. It’s more than likely that scammers will use the Marriott breach to lure sensitive information out of unsuspecting people. Remember – the ones behind your hack have your email address, so if you receive an email from “Marriott”, “Sheridan” or one of the other “Starwood hotels,” asking for personal details, password changes, etc. – be extra careful!