Question: Did Quora Hack Expose 100 Million Users?Answer: Yes, Q&A Site Believes Hackers Stole Private Content, Hashed Passwords
Next to corporate communications that claim that "your security is important to us," or that "protecting your information is our top priority," any post to a website titled "security update" means bad news.
So too for Quora. Following in the footsteps of numerous other breached businesses, the Mountain View, California-based question-and-answer site issued a data breach notification on Monday headlined "security update," by which it meant failure.
"We are working rapidly to investigate the situation further."
"We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party," Quora CEO Adam D'Angelo says in the breach notification, with "malicious third party" meaning hacker.
"We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future," he says, suggesting that it is belatedly paying for the information security practices, processes, technology and personnel that it should have already had in place, if it were to have prevented the breach in the first place.
Quora doesn't know how it was hacked. "We're still investigating the precise causes, and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us," D'Angelo says. "We have also notified law enforcement officials."
Exposed: Private Content
Quora says it believes that about 100 million users were affected by the breach.
Question: How many users does Quora have?
Answer: As of September, about 300 million active monthly users.
Quora says the attacker appears to have stolen:
- Account information: Name, email address, "encrypted (hashed) password," as well as "data imported from linked networks when authorized by users."
- Public content and actions: "Questions, answers, comments, updates."
- Private content and actions: Answer requests, "downvotes," as well as any direct messages users might have sent.
We have discovered that some user data was compromised by unauthorized access to our systems. We've taken steps to ensure that the situation is contained and are notifying affected users. Protecting your information is our top priority. Read more here: https://t.co/uwbdMjoM1v— Quora (@Quora) December 3, 2018
Quora says all users will have to change their passwords, which is a best practice for any user of any site that's been breached.
"Out of an abundance of caution, we are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords," the company says in its data breach notification (see: Experts' View: Avoid Social Networks' Single Sign-On).
It goes without saying that everyone, at all times and with no exceptions, should never, ever use the same password on more than one site. Doing so makes it child's play for attackers to launch credential-stuffing attacks. These involve taking an email address and password pair obtained from a data breach or leak - for example, from Quora - and plugging it into a number of other sites and services, to see where else it might work (see: Credential Stuffing Attacks: How to Combat Reused Passwords).
Pandemonium, identity theft and fraud may follow.
In short: Use a password manager to generate and store strong, unique passwords for every site and service you use, or suffer even worse consequences than having your private questions and answers get exposed in a data breach.
Follows Marriott Breach Alert
On Friday, hotel giant Marriott disclosed that a hack that apparently began four years ago with its Starwood-branded hotels, which it purchased in September 2016, persisted until Sept. 10. So far, Marriott believes that up to 500 million individuals' personal details were exposed (see: Marriott Mega-Breach: Will GDPR Apply?).
Unlike Quora, however, Marriott appears to have tried to bury its bad news by releasing it on a Friday. That's a well-worn public relations strategy - beloved by businesses and politicians alike - for trying to minimize news coverage and capitalize on the fact that fewer people may be following news outlets on Saturday (see: Chipotle: Hackers Dined Out on Most Restaurants).