How do I sue Quora

What to do if your customer data has been hacked

Marriot International: 500 million records.

Quora: 100 million records

Under Armor: 150 million records.

These are just three examples from a very long list of hacks in which customer data was stolen. Let's have fun and replace “records” with “data subjects”. Then you realize what is actually going on.

The probability is very high that you already have a so-called Data breach are affected. So that your customer data is in circulation somewhere.

It got me too. I received an email from Quora that my account information had been tapped.

But what do you do when you receive an email like this?

Be happy that you are informed at all

Let's put it this way: Companies aren't exactly eager to let their customers know about a hack. Uber just didn't say anything in 2016. And then was fined $ 148 million.

Due to the GDPR, the situation is now different. It have to the customers are informed promptly.

So if you receive an email from a service that your customer data has been hacked: first of all, be grateful that you are informed at all.

The chance is very high that you have already participated in many data breachesbut don't know it yet!

On the Have I Been Pwned page of security blogger Troy Hunt (insane name!) You can enter your email and see where your customer data has already been hacked. Troy maintains all databases that he finds online in this tool.

The crux of the matter: The one he finds online.

So if, for example, the customer data from Quora never gets into the darknet, they are not included in this platform! But you can at least estimate on haveibeenpwned how your data is doing.

For example, the bottom email in my email hierarchy (yes, I have that) was included in 5 hacks.

Which data are affected?

According to the GDPR, the information should contain which data is affected. With Quora, for example, it was profile name, IP, email, encrypted password and everything I did on the platform.

If you read this through, you will quickly get a feeling of how critical this breach is. Quora in this case is “harmless” because only the respective account is affected. No credit card details, no passport details like for example with Marriot.

Credit card details

If your credit card information is in a hack, that's a problem. Not just for yourself, but for the company.

No company today should (have to) store credit card data itself.

There are payment providers who have a much higher security standard than an online shop. You can use it to process payments and also save your credit card details.

I don't understand why companies want to take the risk of storage. Not only technically, but also legally, it's a completely different league than a few Quora users.

The following applies to stolen credit card data: watch whether something happens to it - or order a new one right away.

Sensitive data

There's a reason why sensitive data is called that. A lot more jokes can be done with religion, sexuality, medical history or biometric data than would be possible with my Quora account.

If sensitive data is affected by you, I would consider legal steps. To put it in the words of Matthias Strolz: That's not okay!

Above all, you have to ask yourself why this data was saved in the first place?

Metadata

The Marriot International hack is so explosive because the reservation dates leaked by 500 million people. We private individuals may still not care, but this data set certainly contains people who were traveling for business or political purposes.

If I were a secret service, I would look closely at the Marriot data.

Data are mostly not just Data.

Account data

As sad as it sounds, your email and username are probably already floating around somewhere. The Quora email didn't really bother me about that. Only the password is critical in this case.

What does an attacker do with this data?

Depending on what was captured, there are different options:

To sell

Credit card data costs around 5 dollars, depending on the size of the framework and the quality of the data.

Try the login on other pages

This is what happened on LinkedIn. The emails of the accounts are searched (for example @ gmail.com addresses) and an attempt is made to log into Gmail with the same password. That is the reason why you should never use the same password more than once.

Espionage / Intelligence

Data leaks through espionage or nation states cannot be ruled out either. That's a conspiracy theory, of course, but who might be interested in the travel dates of high-profile individuals?

Spam

It is also very likely that your e-mail (if it is not already public) will be picked up by spam networks and you will receive more spam. Don't worry as long as you don't click the links.

How should I react to that?

If you already have good operational security, i.e. good handling of security practices, you don't even need to worry:

You used a password that you not used anywhere else has. That means: even if it were floating around in plain text (i.e. unencrypted), you could only use your Quora account.

If not - or if you can't even remember - it will be a little more difficult. This is where my biggest problem with the affected companies lies buried:

"Encrypted"

... can mean anything.

“Encrypted” can be an MD5 hash, the via a google search often already gives the password.

Go ahead, enter it on google.

“Encrypted” can also mean that a computer would need many years to find out the password.

And that's what bothers me about how companies deal with data breaches:

How am I supposed to know whether the attackers already have my password in plain text or whether it will take years before it actually becomes critical? I would like a technical assessment here on a scale of "We acted negligently" to "Just look in 400 years if anything has happened"

This could also be used to say how well the company is set up in terms of security. And possibly never buy / log in there again.

But good - no matter how the password was saved:

  • Change all passwords on platforms where you used the same password
  • Get a password manager like LastPass or 1Password

But that's about it. You could still delete your account (of course you have the right under the Data Protection Act), but that will not remove your customer data from the hack.

The cat is out of the bag.

Pandora's box opened.

The life after

Depending on whether you are facing a future identity theft (like with the Equifax hack) or the third account on the far left was caught, you should be more or less afraid.

But be aware at the same time:

It will affect everyone, it is now part of an online life. Only when you've really been hacked will there be a fire on the roof.

Not everything is negative

Even if it sounds like this in my articles, there are also positive examples in dealing with customer data:

For example, Github no longer allows passwords that have already been found in a data breach. That doesn't make the platform itself safer, but reduces the attack surface for the individual usershould something happen.

❓ Now I'm still interested in: have you already been in a data breach? Is your customer data floating around somewhere? Have you already experienced negative consequences as a result?