Quora revealed that the data of 100 million users may have been breached as its systems were compromised by “a malicious third party”. Quora CEO Adam D’Angelo said in a blog post that the company was still investigating “precise causes” of the breach. “We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing..” says the post. The company first learnt of the breach on November 30, after which it launched an investigation.

The compromised data includes:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

Currently, Quora is notifying users whose data has been compromised, logging out all affects users, invalidating passwords of those who use a password as authentication. It has also advised users to change their passwords on other services, in case they were using passwords identical to that of Quora.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility,” D’Angelo wrote.

Quora notes that those who posted questions and answers anonymously were not affected by the breach, as it does not store the identities of those who post anonymously. It also clarifies that the breach is unlikely to result in identity theft, as it does not include credit card information or social security numbers.

Many seemed to have forgotten that they had a Quora account:

Note that this breach comes just a day after Marriott Hotels revealed that data of 500 million customers was breached in a security compromise of its Starwood reservation system. 327 million of these customers’ names, mailing address, phone number, email address, passport numbers, and other personal information was exposed, some records even included payment card numbers and card expiration dates.