It’s not a site that I use often, but I woke up this morning to discover that overnight I had received two emails from Quora.
Turns out that over the years I have created two accounts on the Quora question & answer website, which means that I actually received two email notifications from them that they had been hacked.
And I wasn’t the only one surprised to hear from Quora.
Nothing like a data breach to remind me that I have a Quora account
— Aaron Patterson (@tenderlove) December 4, 2018
Part of the email reads as follows:
We are writing to let you know that we recently discovered that some user data was compromised as a result of unauthorized access to our systems by a malicious third party. We are very sorry for any concern or inconvenience this may cause. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.
On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to our systems. We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.
While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.
According to an advisory and FAQ published by Quora, approximately 100 million Quora accounts may have had their information accessed by hackers. (Even if some Quora users had more than one account like me, that’s an awfully large number).
The information accessed by the hackers includes:
- Account information, e.g. name, email address, encrypted passwords (hashed with a salt that varies for each user), data imported from linked networks when authorized by users
- Public content and actions, e.g. questions, answers, comments, upvotes
- Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)
If you were wise enough to post questions and answers anonymously then you are not affected by the breach.
Quora users will be prompted to reset their passwords at their next login. Or you can delete your account which will erase your profile, messages, comments, and answers you have posted. The site will, however, retain any questions you have asked on the site (albeit disassociating them publicly from your name).
I’m certainly going to consider deleting my account, as I barely remember using the site. The smaller the number of websites that are retaining your personal information the better.
Whether you deactivate your account or not, please be sure to check that you have not made the mistake of reusing the same password on multiple websites. It’s a recipe for disaster. If you have a question about how you are supposed to create and remember strong, unique passwords for all of the websites you access I have a simple answer for you: get a password manager.
To learn more about password security you can do a lot worse than listen to this episode of the “Smashing Security” podcast: