Popular online question and answer site Quora reported a data breach late on Dec. 3, impacting 100 million of its users worldwide.
Among the data that was stolen is personally identifiable information (PII) from the 100 million users including account information with name, email address and encrypted (hashed) passwords as well as data imported from linked networks when authorized by users.
“On Friday [Nov. 30] we discovered that some user data was compromised by a third party who gained unauthorized access to our systems,” Quora wrote in an email to users. “We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.”
To help protect impacted users, Quora has logged out users and invalidated passwords. According to Quora, it has identified the root cause of the issue, though the company has not publicly disclosed what that issue actually involves.
Quora stated that it discovered the issue on Nov. 30 and moved quickly to inform users after an initial investigation was completed.
“It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or social security numbers,” Quora stated in an FAQ on the breach.
Quora stated that is has retained “leading digital forensics and security firms” to help in the investigation. Additionally, Quora stated that it has informed law enforcement officials. At this point, Quora said it does not know who is behind the attack.
What End Users Should Do
The largest risk to end users is from password reuse, in cases where the same password used for Quora is also used on other sites.
“It is generally a best practice to not reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so,” Quora stated.
The Quora data breach is the latest in a string of breaches in recent weeks that have exposed user information to attackers. Dell disclosed a data breach on Nov. 29 on its website, which also triggered a reset of user passwords. On Nov. 30, the same day that Quora discovered its breach, Marriott disclosed the largest breach yet in 2018, with 500 million users at risk from a breach that left user data exposed for up to four years.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.