Quick Q&A about Quora’s 100m-user data breach

4 Dec 2018

Quora smartphone app. Image: Piter2121/Depositphotos

Q&A website urges users to change passwords in wake of data breach.

Popular discussion platform Quora has been attacked by hackers who seized passwords and other potentially sensitive personal data on 100m users.

In recent days, hotel chain Marriott International revealed a system breach that allowed hackers to steal passport numbers, credit card details and other details on about 500m customers. It follows an attack on social network Facebook in September that saw personal details of around 50m users potentially compromised, although the number was eventually lowered to 30m.

What actually happened?

Yes, Quora has become the latest internet brand to suffer a breach. It said that on Friday (30 November), it discovered that some user data was compromised by a third party that gained unauthorised access to its systems.

It has engaged a digital forensics specialist and has notified law enforcement. “While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company,” Quora CEO Adam D’Angelo said.

How much data was stolen?

The data stolen contained account information including names, hashed passwords, data imported from linked networks, questions, answers, upvotes and non-public content such as direct messages.

“Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content. The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious.”

I’m a Quora user, what do I do next?

Quora said that while passwords were encrypted or hashed, it recommends that users change their passwords and do not use the same password across multiple services.

What will Quora do next?

It is in the process of notifying users and, as a precautionary step, it is logging out all Quora users that may have been affected. If they use a password as their authentication method, it is invalidating those passwords.

“We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements.”

If I had a hashed password, would that be good enough?

No guarantees. According to Ars Technica, up to 80pc of password hashes can be cracked in a day or two, while tools such as Bcrypt can prevent hashes being converted into plaintext.

If you are a Quora user and logged in using a password rather than any other form of authentication such as Facebook or Google, you’d best err on the side of caution and change your password, even if not prompted to do so by Quora.

What is Quora?

It is a popular Q&A website where questions are asked, answered, edited and organised by its community. It was founded in 2009 by former Facebook employees Adam D’Angelo and Charlie Cheever. Users are known for writing long, blogpost-like answers to questions. In September, the company reported hitting 300m monthly users.

Quora smartphone app. Image: Piter2121/Depositphotos

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years