Popular Q&A forum Quora has logged out its entire 200-million-strong user base and invalidated all passwords after hackers stole the account information, direct messages and comments of an estimated 100 million users.
Saying its systems were compromised by a malicious third party, the company, owned by former Facebook employees Adam D’Angelo and Charlie Cheever, said it discovered the breach on Friday and was still investigating how it happened.
“In addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials”, the California-headquartered company said.
We have discovered that some user data was compromised by unauthorized access to our systems. We’ve taken steps to ensure that the situation is contained and are notifying affected users. Protecting your information is our top priority. Read more here: https://t.co/uwbdMjoM1v
— Quora (@Quora) December 3, 2018
Quora Hack: Joins Long Line of Data Spewers
The breach is just the latest in a string of colossal exposures of private user data: late last week hotel chain Marriott International fell victim to one of biggest such recent hacks, with 500 million guests’ details including card numbers exposed.
Other large-scale recent breaches include Hong Kong-based airline Cathay Pacific, where 9 million passport and payment details were exposed in October.
Quora account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorised by users, public content and actions, e.g. questions, answers, comments, upvotes and non-public content and actions, e.g. answer requests, downvotes, direct messages may all have been compromised.
Passwords were hashed (encrypted/scrambled) so are unlikely to have been compromised, but Quora said it recommends users change their passwords on other accounts too if they had used the same one across multiple online accounts.
Troy Hunt, founder of the haveibeenpwned.com website, which allows users to check whether their emails have been compromised in a breach, said: “Short of not using online services at all, there’s simply nothing you can do to *not* be in a breach, there’s only things you can do to minimise the impact when it inevitably happens.”
Stephen Cox, VP & Chief Security Architect at SecureAuth said in an emailed statement: “Mounting evidence points at stolen credentials being involved in the vast majority of breaches, and there is no sign of this trend slowing down. More focus needs to be put on advanced authentication techniques to improve organisations’ security posture in this threat landscape.”
He added: “Far too many organisations are relying on approaches that have simply been proven ineffective against modern attackers, and they must be careful to not develop a false sense of security even when they’ve adopted basic techniques such as two-factor authentication. These types of breaches will continue to proliferate unless organisations up their game for their employees and their customers, implementing multi-factor and adaptive authentication to render stolen credentials useless to an attacker.”