Quora revealed it is the latest company to get hacked, with data being improperly accessed on as many as 100 million user accounts.
The website, which allows users to ask and answer questions in an online forum, said compromised information includes users’ names, email addresses, passwords and data from linked social media accounts like Facebook and Twitter. Hackers also got information about Quora members’ history of use, but users who participated anonymously on the site were not affected.
The company confirmed the breach with a tweet:
We have discovered that some user data was compromised by unauthorized access to our systems. We’ve taken steps to ensure that the situation is contained and are notifying affected users. Protecting your information is our top priority. Read more here: https://t.co/uwbdMjoM1v
— Quora (@Quora) December 3, 2018
It also addressed the breach in a blog post.
In the post, CEO Adam D’Angelo explained how the hack occurred. He wrote:
On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems. We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.
While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.
He promised the company was taking new steps to beef up security and protect users.
While our investigation continues, we’re taking additional steps to improve our security:
- We’re in the process of notifying users whose data has been compromised.
- Out of an abundance of caution, we are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords.
- We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements.
We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.
Quora took responsibility for the breach and said it had failed its users.
The post concluded:
It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust.
Quora is trying to offer transparency for affected users by publishing extensive reports about the breach. However, some consumers may want more.
Quora has posted an extensive FAQ explaining details of the data breach, but the FAQ doesn’t mentioned how user passwords were hashed, i.e. run through a one-way encryption algorithm. This matters because hashing algorithms vary greatly in strength. Passwords hashed with some older algorithms can be “cracked,” or reversed, in milliseconds using standard desktop computers, while passwords using new algorithms might take thousands of years to crack.
Many pointed to the frequency of these reports and are advising stricter password safeguards for users.
Quora’s post is only the latest disclosure of a major breach. On Friday, hotel chain Marriott International said a system breach allowed hackers to steal passport numbers, credit card data, and other details for 500million customers. In September, Facebook reported an attack on its network that allowed hackers to steal personal details for as many as 50 million users. The social network later lowered the number of accounts affected to about 30 million.
Readers are, once again, reminded to use a long and complex password that’s unique to each site, ideally by using a password manager. Whenever multi-factor authentication is available, people should also use that protection as well.
On social media, many were ready to impugn the company’s crisis response efforts.
Just wanted to say I would have never registered an account if your site didn’t push for it so hard.
— Geo Miller (@storesyntax) December 4, 2018
Sending from no-reply@ is not how it’s done, especially when you don’t know for certain what data was taken for which user pic.twitter.com/lHbeniditY
— Zach Bouzan-Kaloustian (@ZacharyBK) December 4, 2018
Reactions also reveal consumer weariness with both the hacks and company responses to these incidents:
Like, this is starting to get embarrassing. How many companies need to have security breaches before everyone else says “Hmm, maybe we should lock this down? Create new protocols to prevent unauthorized access?” Instead, just another canned response with no real action. Thanks.
— Nishant (@NishantGogna) December 4, 2018
Some say the company has yet to fully explain the breach:
Quora owes its users (even those it forced to sign up just to see the damn site) an explanation as to what happened and why. https://t.co/elSeWeEQoK
— Zack Whittaker (@zackwhittaker) December 4, 2018
Unless companies can convince consumers that they can keep their data safe, they may stop signing up for some online memberships.
Oh okay it was only ONE HUNDRED MILLION ACCOUNTS, according to Quora. https://t.co/0pzWxNaOw7 Maybe we should just stop signing up for anything forever
— Chris Welch (@chriswelch) December 4, 2018
What do you think of Quora’s crisis response efforts, PR Daily readers?