On Monday, the question and answer site Quora announced that a third-party was able to gain access to virtually every data point the company keeps on 100 million users. Even if you don’t recall having a Quora account, you might want to make sure.
In a blog post, Quora CEO Adam D’Angelo explained that the company first noticed the data breach on Friday and has since enlisted independent security researchers to help investigate what happened and mitigate the damage. D’Angelo said that affected users should be receiving an email that explains the situation, but if you have a Quora account, it’s probably a good idea to go ahead and change your password—especially if you reuse passwords. In all, the attackers were able to compromise a lot of data. Quora says that information includes:
Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorised by users
Public content and actions, e.g. questions, answers, comments, upvotes
Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)
Fortunately, Quora says it has not stored any identifying information associated with anonymous inquiries and replies.
For users, the biggest immediate concern should be that part about hackers accessing “data imported from linked networks.” Quora allows users to sign in with Facebook or Google and it’s possible that personal information from one of those networks also made it into the wrong hands. We’ve asked all three companies for more details on exactly what was compromised but we did not receive an immediate reply.
We also asked Quora what type of cryptographic hashing method it uses. The hackers should only be able to figure out the password through brute-force guessing and that takes longer depending on the complexity of the hash.
The good news is that there’s no financial information associated with Quora users, the bad news is that the website is more like a social network than it might seem. People ask personal questions that could help draw a personality profile and others give answers that could do the same. Earlier this year, when Facebook admitted that it had lost control of 87 million users data, the general public was reminded that data breaches aren’t just about identity theft.
In that case, a firm working for the 2016 Trump presidential campaign obtained access to the data, raising concerns that it was used for targeted political messaging. The firm has disputed the number of users’ data it obtained and maintains that none of the data was directly employed during the 2016 election.
For now, check your inbox for any notifications and you can read an FAQ here.