Question-and-answer behemoth Quora has announced a major security breach that may have impacted as many as 100 million users.
The San Francisco-based company, which has raised more than $220 million in funding since its inception in 2009, said that “some user data” was compromised following “unauthorized access to one of our systems by a malicious third party,” according to Quora cofounder and CEO Adam D’Angelo in a blog post.
A separate email was sent out to affected Quora users informing them of the breach.
D’Angelo, who formerly served as chief technology officer (CTO) at Facebook before starting Quora, said that the breach was spotted on Friday (November 30) and may have compromised myriad personal details including names, email addresses, data imported from other third-party sites, and encrypted passwords. The breach may also include content and related data, such as questions posted, comments made, downvotes, direct messages, and more. However, any questions and answers that were posted anonymously will not be part of the breach.
Quora’s last big fundraise arrived via a $85 million series D round in April, 2017, at which point the platform claimed 190 million visitors. By the following year, Quora claimed 300 million monthly visitors. It is worth noting here, however, that all those users don’t necessarily have an account with Quora — it is possible to read the answers to some questions when searched through Google. Quora has not revealed how many active accounts it hosts, though 100 million users doesn’t sound like it would be too far off its entire user base. That said, in a separate FAQ section around this breach, the company said:
Not all Quora users are affected, and some were impacted more than others. We are notifying those affected of the incident, and will provide updates as they are available.
A day rarely goes by without some form of data breach hitting the headlines, but when it’s on a scale such as this, it helps to highlight the role that big technology companies play as gatekeepers of our personal information. Facebook recently reported a data breach that affected 50 million accounts, while Google shuttered Google+ for consumers after an audit revealed a potential exploit — though there is no evidence that any data was compromised on that occasion.
As for Quora, it’s not entirely clear whether it went through the proper protocol from a European standpoint — the recently introduced General Data Protection Regulation (GDPR) regulations require all companies to report such data breaches to the appropriate European authorities within 72 hours, and failure to do so can result in massive fines. Quora does seem to have notified its users roughly within the timeframe, but we’re still trying to establish if it notified the relevant authorities.
Quora said that it has logged out all users who may have been affected, while it has also invalidated all passwords if that is their mechanism for logging in to Quora.
“We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements,” D’Angelo added.
“We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.”
Meanwhile, here is the full email that was sent out to affected Quora users today:
We are writing to let you know that we recently discovered that some user data was compromised as a result of unauthorized access to our systems by a malicious third party. We are very sorry for any concern or inconvenience this may cause. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.
On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to our systems. We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.
While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.
What information was involved
The following information of yours may have been compromised:
Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
What we are doing
While our investigation continues, we’re taking additional steps to improve our security:
We’re in the process of notifying users whose data has been compromised.
Out of an abundance of caution, we are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords.
We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements.
We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.
What you can do
We’ve included more detailed information about more specific questions you may have in our help center, which you can find here.
While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.
It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust.
The Quora Team