Quora breach leaks data of 100m users
Question-and-answer Web site Quora announced on Monday that hackers had gained access to the personal information of up to 100 million of its users.
Quora CEO, Adam D'Angelo, said the company discovered on Friday that one of its systems had been hacked by a malicious third party.
"We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future," he added.
The compromised information includes users' account information, such as name, e-mail address, encrypted password, and data imported from linked networks when authorised by users. It also includes public content and actions, such as questions, answers, comments, upvotes, and non-public content and actions, including answer requests, downvotes and direct messages.
D'Angelo said the 'overwhelming majority' of the content accessed was already public on the Web site, but the compromise of account and other private information is serious.
As a precautionary step, he said Quora is logging out all its users who may have been affected, and, if they use a password as their authentication method, is invalidating these.
"We believe we've identified the root cause and taken steps to address the issue, although our investigation is ongoing and we'll continue to make security improvements," he added.
"In addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us," the company said in a letter to users, adding that it has also notified law enforcement officials.
"It is our responsibility to make sure things like this don't happen, and we failed to meet that responsibility. We recognise that in order to maintain user trust, we need to work very hard to make sure this does not happen again," it added.
Web security company High-Tech Bridge's CEO, Ilia Kolochenko, said stolen data and other scanty details currently available about the breach may indicate that it happened via one of Quora's Web applications.
"Another possibility is an attack against a trusted third party, such as one of their data processors. However, until full and detailed investigation is completed, it is too early to make definitive conclusions."
In light of a class-action lawsuit seeking $12.5 billion in damages filed after the recent Marriott data breach, he said Quora could also suffer significant legal ramifications.
Much like the Marriott data breach, Kolochenko says details and scope of the Quora breach have not been disclosed, leaving victims in "ambiguity and darkness".
"If the alleged information has indeed been stolen, we can expect a slew of password reuse attacks and various spear phishing campaigns targeting the victims."
Andrew Voges, threat prevention sales leader for the Middle East and Africa at Check Point, says attackers are targeting companies and Web sites which hold massive amounts of customer data, as seen recently in major attacks against airlines and hotel chains.
"While it is not known how Quora's systems were breached, the hackers could have exploited any one of several vectors to get access. Organisations need to protect themselves against sophisticated fifth-generation threats which spread across networks, endpoints, mobile and cloud services, and prevent them from being able to impact on their business," adds Voges.
Luckily, there was no financial information associated with the exposed user data, and the stolen passwords were scrambled, but users should consider changing their passwords on other accounts if they have used the same password as for their Quora account, Voges advises.
"They should also be suspicious of e-mails claiming to be related to the Quora breach, as these could be phishing attempts to try and extract more sensitive information."