Question-and-answer website Quora has suffered a data breach that may have affected approximately 100 million of its users.
Quora was founded in June 2009 by former Facebook employees Adam D’Angelo and Charlie Cheever and has hit 300 million monthly users in September 2018.
The site requires/encourages users to register with their real names, ostensibly to add credibility to the answers they provide. Users can also log in with their Google or Facebook accounts. Users with a certain amount of activity on the website are given the option to write their answers anonymously.
About the breach
“We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party,” Quora CEO Adam D’Angelo announced on Monday.
They discovered the breach on Friday, November 30.
The investigation is still ongoing, but for the time being, they believe that account information, public content and actions, and non-public content and actions for some 100 million users may have been compromised.
Account information includes the user’s name, email address, IP, password (hashed with a salt that varies for each user), user account settings, and data imported from linked networks when authorized by users, e.g. contacts, demographic information, interests, access tokens (the latter have been invalidated).
Public content and actions includes questions, answers, comments, and upvotes, while non-public content and actions are answer requests, downvotes, and direct messages.
“Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content,” D’Angelo added.
“The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious.”
The company has retained a digital forensics and security firm to assist them in the investigation and has notified law enforcement about the breach.
They are also notifying the potentially affected users directly via email and have logged out and invalidated the password of all Quora users who may have been affected.
“We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements. We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed,” he concluded.
In the FAQ section published to offer more information about the breach, the company has included information on how users can reset their password, get a copy of all their data from Quora, and delete their account (and all the data in it).