Quora Breach Exposes a Wealth of Info on 100M Users

The information is an early Christmas gift for any social engineer.

Crowdsourced query site Quora is asking the question of “what happened?” in the wake of a massive data breach that impacts up to 100 million of its users.

The hack exposed user names, email addresses, hashed passwords, direct message content and imported data from any networks that users linked to their accounts, like Facebook or Twitter. It also gave the information thieves access to a veritable treasure trove of social engineering and profiling fodder, such as questions, answers, answer requests, comments, up votes and down votes.

The site’s administrators discovered the hack on Friday, though no information as to how it occurred is yet available. Quora CEO Adam D’Angelo noted in a posting Monday evening that the site is “still investigating the precise causes,” but he said the breach has been contained.

“The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious,” D’Angelo said.

Quora is notifying users whose data has been compromised and forcing them to change passwords.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility,” D’Angelo said. “We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private.”

In addition to changing their Quora passwords, users should also swap out passwords for any linked accounts – and take the incident as a reminder to use unique, complex credentials for each service.

“We are using more and more online accounts in our everyday lives, and that number doubles every five years,” said Emmanuel Schalit, CEO at Dashlane, via email. “Managing passwords for all these accounts has become incredibly hard. Most of us react to this problem with indifference and tend to use the same password everywhere, which is incredibly poor cyber hygiene. We then bury our heads in the sand and think that everything is fine; until we receive an email from Quora or Facebook or Marriott saying our account details have been compromised. You never know when your accounts may have been exposed and your information vulnerable – it’s important to remember that password hygiene is not just for breaches.”

This incident is only the latest in a slew of data breaches over the past week: including those impacting United States Postal Service, Dell EMC, Dunkin Donuts, and Marriott.

Threatpost will continue to update this developing story with any additional coverage.

Suggested articles