100 Million Quora Users Affected by Massive Data Breach
Up to 100 million Quora users have had their account information compromised by hackers, including user names, encrypted passwords, private actions and email addresses.
Knowledge sharing website Quora has announced that a “malicious third party” accessed one of its systems and made off with the sensitive data of an estimated 100 million users.
Quora is urging its users to change their passwords, while other commentators are suggesting they simply delete their accounts. Along with the user’s name, email address and encrypted password, if the user had imported data from another social network, such as contacts or demographic information, it is possible that data was compromised too.
Some private actions on the site may have been taken as well, such as direct messages sent between users, comments, upvotes and answer requests. According to the company the majority of content accessed was already public on the site.
The popular site is a platform for sharing questions and answers by members, often anonymously. The company said that identities of individuals who asked and answered questions should remain anonymous as it does not store identifiable information for those posts.
Internal Investigation Still in Progress
To prevent further damage to users, in what Quora describes as “an abundance of caution”, the company is logging out all its users who may have been affected and is currently in the process of notifying those impacted.
The company said it has retained a leading digital forensics and security firm to assist with its internal investigation, which is ongoing that this time.
Quora cheif executive Adam D’Angelo wrote in a blog post: “It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility.
“We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again…We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust.”
Ian Thornton-Trump, head of Cyber Security at AMTrust International, told DIGIT: “Quora did everything right. They identified the data involved in the breach, what the impact could be and provided some high level details.
“More importantly, they identified that user passwords were hashed and salted, which is a step in the right direction for web application security.
“It would appear they even made the 72 hour regulatory notification requirement. There will still be some questions about to what degree passwords were hashed and salted, but I think they did a good job.”
Massive Data Breaches Becoming Common Place
While Quora may have responded well, it does not detract from the fact that massive high-profile data breaches are becoming the norm over the past few years.
Last week, the Marriott breach saw the personal data of up to 500 million guests compromised and in September a hacker gathered the personal information of up to 29 million Facebook accounts.