4 December 2018

Quora announces security breach

Adam D'Angelo, CEO of Quora, has disclosed in a blog post that the question and answer site has suffered a security breach that could affect as many as 100 million users.

"We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future," D'Angelo said in the post.
Victims may have had their data compromised. This includes information such as their name, email address, encrypted (hashed) password, as well as data imported from linked networks when authorised by users.

In addition, public content and actions on Quora, such as their questions, answers, comments, and upvotes, might have been stolen. Non-public content and actions, including answer requests, downvotes, and direct messages - which D'Angelo says are rare - could also have been compromised.

Questions and answers that were written anonymously are not affected by this breach as Quora does not store the identities of people who post anonymous content.

The facts:

- The unauthorised access was discovered on 30 November. 

- Quora is still investigating.

- Quora's internal security teams are involved, together with a leading digital forensics and security firm. 

- Law enforcement officials have been notified.
- Quora is emailing users whose data has been compromised.

- All Quora users who may have been affected are also logged out, with passwords invalidated.

"While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company," D'Angelo said.

"We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements."

D'Angelo also said users should not reuse the same password across multiple services, and that passwords should be changed.

"It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognise that in order to maintain user trust, we need to work very hard to make sure this does not happen again.

"There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private.

"We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust," he said in the blog post.
In mid-2017 D'Angelo said Quora had 200 million monthly unique visitors.

Details:

Quora has prepared a FAQ for users. The page includes instructions on how to receive a copy of all Quora data about a user, and also how to delete a Quora account.

Explore:

The Quora breach comes soon after the Marriott breach, which WorkSmart Asia blogged. Security firm Sophos' comments on the Marriott breach are likely to hold true for the Quora breach as well.