Quora confirms data breach for 100 million users

The company says passwords, names, email addresses and more were compromised. It promised to take new safety measures, hoping to regain consumer trust.

Quora revealed it is the latest company to get hacked, with data being improperly accessed on as many as 100 million user accounts.

The website, which allows users to ask and answer questions in an online forum, said compromised information includes users’ names, email addresses, passwords and data from linked social media accounts like Facebook and Twitter. Hackers also got information about Quora members’ history of use, but users who participated anonymously on the site were not affected.

The company confirmed the breach with a tweet:

It also addressed the breach in a blog post.

In the post, CEO Adam D’Angelo explained how the hack occurred. He wrote:

On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems. We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.

While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.

He promised the company was taking new steps to beef up security and protect users.

While our investigation continues, we’re taking additional steps to improve our security:

  • We’re in the process of notifying users whose data has been compromised.
  • Out of an abundance of caution, we are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords.
  • We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements.

We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.

Quora took responsibility for the breach and said it had failed its users.

The post concluded:

It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust.

Quora is trying to offer transparency for affected users by publishing extensive reports about the breach. However, some consumers may want more.

Tom’s Guide wrote:

Quora has posted an extensive FAQ explaining details of the data breach, but the FAQ doesn’t mentioned how user passwords were hashed, i.e. run through a one-way encryption algorithm. This matters because hashing algorithms vary greatly in strength. Passwords hashed with some older algorithms can be “cracked,” or reversed, in milliseconds using standard desktop computers, while passwords using new algorithms might take thousands of years to crack.

Many pointed to the frequency of these reports and are advising stricter password safeguards for users.

Ars Technica wrote:

Quora’s post is only the latest disclosure of a major breach. On Friday, hotel chain Marriott International said a system breach allowed hackers to steal passport numbers, credit card data, and other details for 500million customers. In September, Facebook reported an attack on its network that allowed hackers to steal personal details for as many as 50 million users. The social network later lowered the number of accounts affected to about 30 million.

Readers are, once again, reminded to use a long and complex password that’s unique to each site, ideally by using a password manager. Whenever multi-factor authentication is available, people should also use that protection as well.

On social media, many were ready to impugn the company’s crisis response efforts.

Reactions also reveal consumer weariness with both the hacks and company responses to these incidents:

Some say the company has yet to fully explain the breach:

Unless companies can convince consumers that they can keep their data safe, they may stop signing up for some online memberships.

What do you think of Quora’s crisis response efforts, PR Daily readers?

(Image via)


Health Care News Feed

Sign up to receive the latest articles from Health Care News directly in your inbox.