Quora announced tonight that one of their systems was hacked and has led to the exposure of approximately 100 million user's data to an unauthorized third-party.
Quora discovered this breach on Friday, November 30th, when saw that user's data was accessed by an unauthorized third-party. Quora stated that they then contacted law enforcement and hired a digital forensics and security consulting company to determine how this breach occurred and who may have conducted the attack.
"We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party," stated Quora's security update. "We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing. We have notified law enforcement officials. We are notifying affected Quora users. We have already taken steps to ensure the situation is contained, and we are working to prevent this type of event from happening in the future. Protecting our users’ information and fostering an environment built on trust remains our top priority so that together we can continue to share and grow the world’s knowledge."
The data that was exposed for the 100 million users includes:
- Account information (e.g. name, email address, encrypted password, data imported from linked networks when authorized by users)
- Public content and actions (e.g. questions, answers, comments, upvotes)
- Non-public content and actions (e.g. answer requests, downvotes, direct messages)
It is not currently known how the attacker gained access to their systems. Quora has started emailing users who were impacted by this breach. These emails do not contain any further information than what was already given.
BleepingComputer has contacted Quora for answers to further questions, but had not heard back at the time of this publication.
Securing your passwords at other sites
Quora is estimated to be the 95th largest site in the world with close to 700 million visits per month, so the amount of users affected is staggering. With that said, there is thankfully no financial information associated with the exposed user data. Instead users need to be concerned that their will be attempts to use their information to try to gain access at other sites that they have accounts.
Due to this, it is necessary for all users to change any passwords at other sites that use the same password as Quora. It is also strongly suggested that unique passwords are used at every site you visit in order to minimize the impact of a breach like this.
Update 12/3/18 9:40PM EST: Updated to include information about emails that are going out.
Comments
Genex17 - 5 years ago
If I use a social media account like Facebook or Google to access Quora...is the their login info stored on Quora's site?
Lawrence Abrams - 5 years ago
On Twitter, go to Settings -> Apps and devices and revoke any sites you do not wish to have access to your twitter login/profile.
Facebook, go to Settings -> Apps and Websites and do the same.
buddy215 - 5 years ago
You would be recognized at Quora by the cookies it places on your computer. Google and Facebook should not and would not allow Quora to see your passwords for those two. Delete Quora cookies in your browsers and you would need to login again to Quora.
Genex17 - 5 years ago
Cookies deleted and I logged in again. Thanks for the advice.
I don't think I have anything of value there. They may have my real name (quora policy) and email, but so do others.