Quora.com admits data breach affecting 100 million accounts

Hackers have compromised data from the accounts of 100 million users of question and answer site, Quora.com.

The bad news arrived in emails sent to the affected users – half its estimated 200 million account base – and through a public announcement made on Monday on its website.

The company discovered the breach on 30 November, finding that “data was compromised by a third party who gained unauthorized access to our systems,” wrote Quora CEO, Adam D’Angelo.

Data accessed included private information such as name, email address and encrypted (hashed) passwords, and any data imported from linked networks as authorised by account holders.

Also taken was “Non-public content and actions, e.g. answer requests, downvotes, direct messages,” however the company believes only a low percentage of users had such data in their accounts.

In addition, the hackers got hold of any questions, answers and upvotes posted by users, although these would also have been publicly available on the site itself.

Anyone who posted anonymously to the site over the years is not affected as Quora does not store data from these users, the company said.

What to do

If you’re one of the 100 million, the company will log you out of your account and ask you to reset the password the next time you try to log in.

Even if you’re a Quora user who isn’t asked to change their password, it’s a good idea to do this anyway – even if you’re one of the sizeable number of people who might have forgotten they signed up on the site at some long-forgotten moment in the past.

What is Quora doing to stop something similar happening in future?

We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements.

Passwords matter

As with any data breach, the lurking issue is what hackers might do with the data they stole last week.

The worry isn’t simply the compromised Quora accounts themselves but that some of the passwords used to secure them might have been re-used on other websites. A lot here depends on how long ago the hackers accessed the data before it was discovered.

Quora says the passwords were “encrypted”. We hope it means the data had been run through a password hashing function and just chose a word people are more likely to recognise as ‘secure’.

What the company hasn’t told us is what hashing function it used, nor the salting/iteration it used with it. Those details could makes all the difference.

If the company used obsolete MD5 or SHA-1, hashes to protect passwords, that’s not good news. If it used something like bcrypt or scrypt with adequate stretching, that would be more reassuring because it means cracking users’ passwords will be many orders of magnitude slower and more costly.

For an illustration of the difference it makes, take a look at what happened when researchers tried to crack the passwords exposed by the Ashley Madison breach.

Quora’s data breach announcement makes it the third big brand to fall to the hackers in a week, after Marriott (which affected 500 million accounts), and Dell (the size of which is as yet unknown).