Quora, a popular question-and-answer website recently suffered a major cyber attack, resulting in the names, email addresses, encrypted passwords, user account settings and IP addresses of 100 million of its customers to be compromised. The bad news of the users’ data breach arrived in emails sent to the affected users – half its estimated 200 million account base – and through a public announcement made on Monday on its website. The company discovered the breach on 30 November, finding that “data was compromised by a third party who gained unauthorized access to our systems,” wrote Quora CEO, Adam D’Angelo.
The breached data includes account information, such as name, email address, password, and data imported from linked networks, as well as public content and actions, such as questions, answers, upvotes and comments.
Quora responded quickly by sending out an email and posted a blog to provide more information about the recent security breach that affected its service. Firstly, Quora apologized for the data breach incident. Secondly, this breach affected approximately 100 million Quora users which is roughly one-third of its active monthly user base, based on some of the figures floating around over the past few months. Thirdly, Quora is actively investigating the breach, which it just discovered on Friday, and here’s what it has found so far:
“For approximately 100 million Quora users, the following information may have been compromised:
- Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
- Public content and actions, e.g. questions, answers, comments, upvotes
- Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)“
We have discovered that some user data was compromised by unauthorized access to our systems. We’ve taken steps to ensure that the situation is contained and are notifying affected users. Protecting your information is our top priority. Read more here: https://t.co/uwbdMjoM1v
— Quora (@Quora) December 3, 2018
What to do next?
Quora has been emailing those who have potentially been affected by the breach. But even if you don’t receive an email, situations like these are a great time to review your online security setup. If you had the same password on Quora for other sites and services then its high time to change them too. Most importantly—unique passwords for each site and service you use, there’s no reason you should be using the same password across multiple sites. Use a two-factor or two-step authentication. An even better site or service will reach out to you for a secondary form of verification—a texted code, an authentication prompt, a number you read from a software or hardware token, et cetera—that you also have to enter in addition to your password to gain access. If you have a dormant quora account then go ahead and delete it.