Quora Breach Hits 100 Million Users

Quora Breach Hits 100 Million Users

Quora has become the latest big-name tech firm to suffer a major data breach, after revealing that personal information on 100 million users may have been compromised.

The question-and-answer website said it discovered unauthorized access by a malicious third party on Friday, and is currently investigating the exact cause of the incident in concert with a digital forensics firm and law enforcement.

The potentially compromised information includes account info such as names, email addresses and encrypted passwords, as well as data imported by users from linked networks.

Other data that may have been breached includes public content and actions — like questions, answers, comments and upvotes — and non-public content like answer requests, downvotes and direct messages.

“Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content,” the firm clarified.

“The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious.”

All affected users have been logged out, with a forced password reset for those who chose this as their authentication method.

SecureAuth chief security architect, Stephen Cox, suggested that stolen credentials may have been behind the breach.

“More focus needs to be put on advanced authentication techniques to improve organizations’ security posture in this threat landscape,” he added. “Far too many organizations are relying on approaches that have simply been proven ineffective against modern attackers, and they must be careful to not develop a false sense of security even when they’ve adopted basic techniques such as two-factor authentication.”

Although the personal data compromised in this incident appears to be fairly limited, and Quora had at least hashed passwords with a salt that varies for each user, the incident could still lead to a deluge of phishing attempts on users.

Source: Information Security Magazine