Quora hack leaves details of 100 million accounts exposed

Q. Why did this happen?

Quora hack leaves details of 100 million accounts exposed

It’s not a site that I use often, but I woke up this morning to discover that overnight I had received two emails from Quora.

Turns out that over the years I have created two accounts on the Quora question & answer website, which means that I actually received two email notifications from them that they had been hacked.

And I wasn’t the only one surprised to hear from Quora.

Part of the email reads as follows:

Quora email

We are writing to let you know that we recently discovered that some user data was compromised as a result of unauthorized access to our systems by a malicious third party. We are very sorry for any concern or inconvenience this may cause. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.

What Happened

On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to our systems. We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.

While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.

According to an advisory and FAQ published by Quora, approximately 100 million Quora accounts may have had their information accessed by hackers. (Even if some Quora users had more than one account like me, that’s an awfully large number).

The information accessed by the hackers includes:

  • Account information, e.g. name, email address, encrypted passwords (hashed with a salt that varies for each user), data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

If you were wise enough to post questions and answers anonymously then you are not affected by the breach.

Quora users will be prompted to reset their passwords at their next login. Or you can delete your account which will erase your profile, messages, comments, and answers you have posted. The site will, however, retain any questions you have asked on the site (albeit disassociating them publicly from your name).

I’m certainly going to consider deleting my account, as I barely remember using the site. The smaller the number of websites that are retaining your personal information the better.

Whether you deactivate your account or not, please be sure to check that you have not made the mistake of reusing the same password on multiple websites. It’s a recipe for disaster. If you have a question about how you are supposed to create and remember strong, unique passwords for all of the websites you access I have a simple answer for you: get a password manager.

To learn more about password security you can do a lot worse than listen to this episode of the “Smashing Security” podcast:

Smashing Security #99: ‘Passwords - A Smashing Security splinter (replay)’

Listen on Apple Podcasts | Google Podcasts | Other… | RSS for you nerds.

Tags: ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

,

2 Responses

  1. Michael Wosnick

    December 4, 2018 at 2:58 pm #

    I was one of the ones who also got these e-mails. I was less worried about any Quora “questions” I have ever answered there as I was about the part where they reference “data imported from linked networks when authorized by users”. Does this mean that if you logged in via Google, for example, that your Google credentials have potentially been compromised? Not sure how that part works.….

  2. Jim Dibb

    December 4, 2018 at 3:54 pm #

    I deleted my account, which was connected via Google. It was also the push I needed to get myself out of there. So many inane, poorly asked, easily Googled and or trolling questions it was more like watching a train wreck than anything else. I do have to say I have great respect for a lot of the answer authors that put so much time into reasoned, detailed and highly technical answers to often idiotic questions. From Quora I learned that, in fact, there ARE stupid questions. Love the podcast!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.