Quora Security Breach: What You Need To Know

Quora Security Breach: What You Need To Know
Image: Getty Images

Popular Q&A site Quora suffered a security breach last week with a malicious third party gaining unauthorised access to the site’s systems. I guess they can now add its own answer to the question of what to do after a breach.

Quora said, in a statement emailed to members, that they are currently investigating exactly how the breach occurred. However, it says account and user information such as name, email, IP, user ID, encrypted password, user account settings, personalisation data, public actions and content including drafts, data imported from linked networks you’ve authorised and non-public actions like answer requests and downvotes were compromised.

If you used Quora anonymously, you shouldn’t be affected as the company said they don’t store any data about anonymous posters.

While passwords were stolen, Quora said these were protected through encryption and a unique salt for each user, it’s a good idea to change your password. And, if you used the same password for any other services, I’d be changing those too. Although the passwords were protected and the thieves stole encrypted data, my philosophy is that all bets are off once physical access to data in achieved. And even if they cannot be decrypted now, there’s no telling what may be possible in a year’s time.

The company adds that they believe they have tracked down the root cause of the breach and is making security improvements.

All Quora users have been logged out and affected users will be forced to change their passwords when they next log in.

In the mean time, I wonder of the folks at Quora took a look at How do I protect my organization from a breach? and How can we reduce security breaches in an organization?.


    • Login with FB, Microsoft or Google means they don’t have your password. That’s good.
      There’s is a smaller bit of identity risk.

      My take is that using these logins gives the average person a lot more protection. The big vendors have security teams plus a whole lot of built in enhancements. Especially Google which has a fair idea of what you’re doing so can block logins from places where you aren’t, or detect other unusual usage. If you are serious about protecting yourself further, use one of the two factor login methods, eg Google Authenticator.

      I’m surprised that websites themselves don’t use and promote this. It means there is less less reason to hack them, and less impact on their users if they are hacked.

Show more comments

Log in to comment on this story!