100 million Quora users data exposed in major breach
Question and answer site Quora has revealed that its user data has been compromised as a result of unauthorized access to its systems by a 'malicious third party'.
The breach occurred on Friday and Quora is still investigating the causes. It has taken the step of logging out all users who may have been affected and forcing them to reset their passwords. It also says it will continue to make security improvements.
It’s believed the leak may have exposed data from social networks like Facebook and Twitter if users chose to link these to their Quora accounts. Quora has more than 100 million registered accounts. According to the email sent to users, and also posted on Quora's blog, information compromised may include:
- Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
- Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
- Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
- Non-public actions, e.g. answer requests, downvotes, thanks
- Non-public content, e.g. direct messages, suggested edits
Joseph Carson, chief security scientist at Thycotic says, "The latest data breach again demonstrates the risks of how organisations are collecting and storing sensitive personal information without clearly following security best practices on securing and protecting the data they have been entrusted to protect. Organisations needs to really prioritize data risk assessments and access controls to ensure the data is protected from easily compromised accounts."
Emmanuel Schalit, CEO of password manager Dashlane says, "Because the extent of the hack is still unknown, if you've ever signed up for a Quora account, we recommend changing your password now. Similarly, as some of the compromised information includes data from linked social network accounts such as Facebook and Twitter, we would recommend changing your passwords on those services too."
While any breach is bad news, Quora's handling of this -- with full disclosure of what data may have been exposed and forcing users to take action to change their passwords -- does deserve praise. It certainly contrasts to Amazon's approach to the disclosure of names and email addresses two weeks ago.