Quora has sent out notifications to all of its users notifying them that it has been breached. According to the information received, an unknown hacker or collective was able to access their database of user data on Friday (November 30). An investigation has started to find out how this has happened and to remedy any possible Quora security issues.
Quora Users Data Hijacked: What We know So Far
The news about the Quora incident was spread to users of the service by email. The email alert is titled Quora Security Update and it contains information about the intrusion. The information reads that the company has uncovered the incident recently and they are currently investigating the breach. On Friday security specialists from Quora detected that user data was acquired by an unauthorized third party who was able to gain access to their internal database servers. Upon detection of this, they took steps in order to remedy the identified weaknesses.
The following information has been compromised:
- Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
- Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
- Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
- Non-public actions, e.g. answer requests, downvotes, thanks
The service does not store any identity information of anonymous Quora users, this means that those that write without being registered in the system should not worry about their private data. Quora is gradually identifying which users have been affected and are notifying them through email messages. Further steps that have been taken as a precaution is the force log out of all potentially affected users. Through a mandatory password reset they login credentials will be changed to disallow abuse in the future. This will lead to the practice of changing username and password combinations in regular periods in order to prevent abuse of leaked credentials.
Quora Advertiser Accounts Are Also Affected
Individual user accounts were not the only ones that are affected. We received reports of advertiser account holders who have also been breached. The following information was accessed on their end:
- Account information available on the Ads Manager account settings page
- The email address provided for notifications about your ad campaigns
- Campaign structure and setup, including information like budgets, schedule, bids, targeting, and ad information
- Notifications that were in your Ads Manager, such as ad paused, logo approved, and ad ready
- Audience setup information available on the Ads Manager audience page such as types and creation date
- Partial credit card information, including name, expiration date, and the last four digits of the credit card
Quora specifically mentions that sensitive data such as payment card details and log files are not affected. The company states that they have found a possible cause of intrusion however the investigation is still ongoing and not concluded. All Quora user passwords are individually hashed and encrypted which provides a certain sense of comfort. However the best security practices still recommend that a password should not be reused across multiple services.