In a blogpost today, Quora’s CEO Adam D Angelo said that a malicious third party gained unauthorized access to our systems on November 30, as a result of which sensitive information of 100 million users was compromised.
The Big Picture
The Data Breach compromised sensitive data of about 100 million users due to unauthorized access to one of Quora’s systems by a malicious intruder. Quora is currently sending emails to users notifying about the breach and asking them to change their passwords. The company has also notified the law enforcement officials and has taken necessary actions to prevent such breach in the future.
In the blog post, Adam D Angelo wrote,
- We are working closely with the internal security teams and have retained a leading digital forensics team to help us with the incident.
- The company is currently working on logging out the accounts of all the users who would have been affected by the breach and invalidating their passwords if they use one as their authentication method.
- They are carrying out investigations to find the root cause of the breach and taking preventive measures to avoid such a situation in the future.
What kind of information was compromised?
- User Account Information such as names, email addresses, IP, encrypted passwords, user IDs, and data imported from linked networks when authorized by the users.
- Public Content and Actions such as questions, answers, comments, upvotes, drafts etc.
- Non-public Content and Actions such as answer requests, downvotes, edits, and direct messages.
Angelo further confirmed that anonymous questions and answers were not affected by the breach as the identities of people who post anonymously are not stored in the system.
In another blogpost on its help center, Quora confirmed that the breach did not compromise any of partner’s financial information that was accessible through Stripe (the third party payment service used for the Partner Program), though some data associated with Stripe was temporarily compromised. The company directly confirmed with Stripe that the access token was never used and they have already reset the access tokens for all Stripe account users.