weerapat1003 - stock.adobe.com

100 million Quora.com user details exposed

Question-and-answer site is the latest organisation to admit a breach of users’ personal data, with industry commentators calling out credential theft as a top cause of such breaches

Just days after Marriott International revealed that 500 million of its Starwood customers’ data was exposed, question-and-answer site Quora.com has admitted a massive data breach, but said not all users are affected.

The company alerted affected users by email that their user data was compromised “due to unauthorised access to our systems by a malicious third party” and invalidated their passwords to force a reset, prompting speculation that stolen credentials were used to gain access to Quora.com systems.

The breach, which affects “approximately 100 million users”, includes names, email addresses, encrypted passwords, data imported from linked networks when authorised by users, answer requests, downvotes and direct messages.

“We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing,” the company told users.  

Quora.com also said it had notified law enforcement officials and taken steps to “ensure the situation is contained” and to prevent similar breaches in future.

“Protecting our users’ information and fostering an environment built on trust remains our top priority,” the company said.

Quora.com made the breach public on 3 December, but said it had launched a “comprehensive investigation and remediation effort” as soon as the breach was discovered on 30 November.

It said the breach is “highly unlikely” to result in identity theft because the company does not collect information such as credit card or social security numbers.

The firm has also offered to send users an archive of their content and personal data within 72 hours of receiving a request to do so.

Quora.com chief executive Adam D’Angelo addressed the issue of trust in a blog post about the breach.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility,” he said. “We recognise that in order to maintain user trust, we need to work very hard to make sure this does not happen again.

“There is little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust.”

Read more about data breaches

D’Angelo said the company will be “as transparent as possible” without compromising its security systems or the steps it is taking.

He said Quora.com is still investigating the precise causes of the breach, but investigators believe they have “identified the root cause” and taken steps to address the issue.

“We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.”

Although the company said the passwords were “encrypted”, it is not clear what form of encryption was used, and the fact that affected users are being forced to resent passwords indicates that the encryption method used was not the strongest available.

The breach underlines the importance of service providers using the strongest encryption methods available and the importance of users setting unique passwords for each of their accounts and using multifactor authentication wherever it is available.

Stephen Cox, vice-president and chief security architect at SecureAuth, said there is growing evidence that stolen credentials are involved in the vast majority of breaches.

“More focus needs to be put on advanced authentication techniques to improve organisations’ security posture in this threat landscape,” he said. “Far too many organisations are relying on approaches that have simply been proven ineffective against modern attackers, and they must be careful not to develop a false sense of security even when they have adopted basic techniques such as two-factor authentication.

“These types of breaches will continue to proliferate unless organisations up their game for their employees and their customers, implementing multifactor and adaptive authentication to render stolen credentials useless to an attacker.”

Read more on Privacy and data protection