Yet another mega-leak: 100 million Quora accounts compromised by system invaders

Passwords should be safe, but reset just in case

Someone's taken a wander through the systems of question-and-answer website Quora, pilfering account details of 100 million users.

The organisation announced on Monday this week: “On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems.”

It said it has “taken steps to contain the incident”.

Breached data includes account information, public content and actions (such as comments, upvotes and actions), and non-public actions (answer requests, downvotes, and direct messages, the latter used by only “a small percentage” of users).

The account data involved included user IDs, email addresses, and (it's good to report, for once – El Reg) fully encrypted passwords. Quora's post said it will log out all affected users, and push a password reset.

credit card

Magecart fiends punch card-skimming code in Sotheby's Home website

READ MORE

For everyone else, there's this advice: “While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.”

The breached also included “data imported from linked networks,” if a user had given permission for that to be done from their account.

The post doesn't stipulate what information might come from linked accounts, but it's explained in the privacy policy. If you've used Google or Facebook to log in, or you've connected your Quora account with Facebook, Twitter, or LinkedIn, “we receive certain profile and account information about you from the Linked Network.”

So it looks to The Register there's a risk that someone using their real name on Quora, but not on Twitter, could be doxxed as part of this leak.

Quora believes it's “identified the root cause and taken steps to address the issue”, an outside organisation is assisting, and law enforcement has been notified. ®




Biting the hand that feeds IT © 1998–2018