Data for 100 Million Quora Users Compromised blog.quora.com

Adam D’Angelo of Quora:

For approximately 100 million Quora users, the following information may have been compromised:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users

  • Public content and actions, e.g. questions, answers, comments, upvotes

  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

A security breach is never a good thing, and the compromise of a hundred million users’ account details puts this up there with some of the biggest breaches.

However, I want to give kudos to Quora on three fronts. First, the response speed: they discovered this on Friday and we’re learning about it on Monday, shortly after they believe they fixed the flaw. Quick response times are rare in cases like this one, and they handled that well.

Second:

While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.

It is never a great thing then passwords are leaked in any form. But Quora did password security right by uniquely-salting and hashing them.

And third:

Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.

This is fantastic. Lazy programmers would simply replace user-identifying attributes on the frontend with anonymized versions and call it a day. Sincere kudos to their engineering team for doing anonymous posting the correct way.