Are you one of the 100-million people who have used the Quora question and answer site, and could have had your data compromised as a result?
The latest high-profile breach affecting millions of people around the world has seen data including names, passwords and information in linked networks possibly leaked.
Adam d’Angelo, CEO of Quora, says the breach was discovered on Friday (30 November).
“We discovered that some user data was compromised by a third party who gained unauthorised access to one of our systems,” he states. “We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.
“While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.”
He says the following information of about 100-million users has potentially been exposed:
* Account information, such as name, email address, encrypted (hashed) password, data imported from linked networks when authorised by users;
* Public content and actions, for example questions, answers, comments, upvotes; and
* Non-public content and actions, such has answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages).
Questions and answers that were written anonymously are not affected by this breach as the site does not store the identities of people who post anonymous content.
“The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious,” dAngelo adds.
While the investigation is underway, Quora is taking steps to improve its security, he says.
“We’re in the process of notifying users whose data has been compromised.
“Out of an abundance of caution, we are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords.
“We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements,” d’Angelo says.
“We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.”
Andrew Voges, threat prevention sales leader: Middle East & Africa at Check Point, comments: “Hackers are deliberately targeting companies and websites which hold massive amounts of customer data – as we’ve seen with the recent major attacks against airlines and hotel chains.
“While it is not known how Quora’s systems were breached, the hackers could have exploited any one of several vectors to get access. Organisations need to protect themselves against sophisticated fifth-generation threats which spread across networks, endpoints, mobiles and cloud services, and prevent them from being able to impact on their business.
“Luckily, there was no financial information associated with the exposed user data, and the stolen passwords were scrambled, but users should consider changing their passwords on other accounts if they have used the same password as for their Quora account. They should also be suspicious of emails claiming to be related to the Quora breach, as these could be phishing attempts to try and extract more sensitive information.”