Quora.com, a mainstream Q&A site is the latest victim of a massive security breach which affected an estimated 100 million user accounts. According to the initial report, the following records have been stolen from the site’s database:
- Hashed and salted passwords
- Email addresses
- Full names
- Linked network information (for those using Quora using their Facebook/Gmail accounts)
- Upvote, downvote, user posts and even private conversations between users.
“We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future. We also want to be as transparent as possible without compromising our security systems or the steps we’re taking, and in this post we’ll share what happened, what information was involved, what we’re doing, and what you can do. We’re very sorry for any concern or inconvenience this may cause,” said Adam D’Angelo, Chief Executive Officer of Quora.
Quora administrators detected unauthorized access of their data only last Nov 30, 2018. The unknown 3rd party got their hands to the user’s database, exposing personally identified information. The Q&A site then enlisted the help of forensic experts to further investigate the issue.
“We’re in the process of notifying users whose data has been compromised. Out of an abundance of caution, we are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords. We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements,” added D’Angelo.
The Quora CEO also promised that affected users will be contacted through email, and they will also receive updates regarding the progress of their investigation. They also partnered with law enforcement authorities in order to accelerate the probe of this biggest data breach in the company’s history.
The data breach could have been bigger than 100 million if Quora logs the system information of those that posted anonymously. Luckily, those who posted as anonymous were assured to maintain anonymity since the database doesn’t store IP information of anonymous posters.
Quora is also confident that with their salted hash password implementation, hackers will never be able to find out the real passwords of the users affected by the security breach.“While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so,” emphazised D’Angelo.
The safest way to use the Internet today is to have unique passwords for each site or web service the user signs-up for. Recycling the same password over-and-over across many sites is a recipe for disaster, as a data breach in one site enables unknown 3rd parties potential access to other sites that the user frequently visits.
The bottom line, Quora has taken responsibility for the breach, their CEO has admitted and claimed full responsibility towards their users. “It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust,” concluded D’Angelo.
