Quora Security Breach: What You Need To Know

Image: Getty Images

Popular Q&A site Quora suffered a security breach last week with a malicious third party gaining unauthorised access to the site's systems. I guess they can now add its own answer to the question of what to do after a breach.

Quora said, in a statement emailed to members, that they are currently investigating exactly how the breach occurred. However, it says account and user information such as name, email, IP, user ID, encrypted password, user account settings, personalisation data, public actions and content including drafts, data imported from linked networks you've authorised and non-public actions like answer requests and downvotes were compromised.

If you used Quora anonymously, you shouldn't be affected as the company said they don't store any data about anonymous posters.

While passwords were stolen, Quora said these were protected through encryption and a unique salt for each user, it's a good idea to change your password. And, if you used the same password for any other services, I'd be changing those too. Although the passwords were protected and the thieves stole encrypted data, my philosophy is that all bets are off once physical access to data in achieved. And even if they cannot be decrypted now, there's no telling what may be possible in a year's time.

The company adds that they believe they have tracked down the root cause of the breach and is making security improvements.

All Quora users have been logged out and affected users will be forced to change their passwords when they next log in.

In the mean time, I wonder of the folks at Quora took a look at How do I protect my organization from a breach? and How can we reduce security breaches in an organization?.


    How does it affect those who logged in with their Facebook ID?

      Login with FB, Microsoft or Google means they don't have your password. That's good.
      There's is a smaller bit of identity risk.

      My take is that using these logins gives the average person a lot more protection. The big vendors have security teams plus a whole lot of built in enhancements. Especially Google which has a fair idea of what you're doing so can block logins from places where you aren't, or detect other unusual usage. If you are serious about protecting yourself further, use one of the two factor login methods, eg Google Authenticator.

      I'm surprised that websites themselves don't use and promote this. It means there is less less reason to hack them, and less impact on their users if they are hacked.

        Yeah, I've 2FA turned on for anything I can. And tend to use Facebook login for anything that allows it so I'm reducing the risk of this kind of thing.

    Technically the passwords were hashed rather than encrypted (at least I hope they were)

      The offical statement says "the passwords were encrypted (hashed with a salt that varies for each user)". So, hashed and salted.

Join the discussion!

Trending Stories Right Now