About 100 million users of Quora were affected by unauthorised access to one of its systems by a “malicious third party,” the knowledge-sharing website said on Monday. Account information, including name, email address, encrypted passwords and other information of users may have been compromised, it added.
The company said it is logging out all Quora users who may have been affected to prevent further damage. The breach was discovered on Friday, and it has also sent out emails to all customers earlier today.
“We are in the process of notifying users whose data has been compromised,” Quora CEO Adam D’Angelo said in a blog post.
It further notes, “On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems. We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.”
The information compromised many include name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users. It would also include any public content meaning any questions, answers, comments and upvotes shared by the user.
Other non-public content is also impacted by the breach which is answer requests, downvotes, direct messages. The company insists that only a low percentage of Quora users have sent or received such messages.
The breach does not affect question and answers that are written anonymously because Quora does not store the identities of people who post anonymous content, according to the blog.
Quora also notified law enforcement officials regarding this breach. “It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognise that in order to maintain user trust, we need to work very hard to make sure this does not happen again,” concludes the post.
“When one-third of the customer (100M users) data is hacked in a company with tech DNA, it is a message for all companies of how vulnerable the cyberspace is. What is required, is to close the urgent need-gap for a real-time monitoring system to protect the digital setups of companies with a clear mathematical risk quantification framework that security teams, executive teams, boards, regulators, shareholders and customers can all rely upon, like an ISI / ISO standard rating available in other industries, but this one being real time,” Saket Modi, Co-Founder & CEO, enterprise cybersecurity platform Lucideus said.
Modi recommended that users enable two-step authentication wherever possible, keep unique passwords for their accounts and avoid linking multiple accounts with each other unless necessary. “We also advise that your Quora password (or Facebook / Google password if that’s how you log into Quora) be changed immediately.”
The Quora Inc-owned website was founded in 2009 by D’Angelo and Charlie Cheever, two former Facebook employees.
With Reuters inputs