I am part of the 100 Million Quora users who got an email telling that Quora system was compromised leading to a 100 Million User Data Hack which might also include information of linked accounts along with the standard user details including emails and passwords
When Quora was Hacked
Quora came to know about the data breach on 30th November 2018 , they have not clearly stated as when the hack was executed but they made it public on 4th December 2018.
How Quora Got Hacked
As per the Security Update FAQ ,
We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third-party
So someone from Quora screwed up and fell for the Social Engineering Attack which led to a massive data breach of 100 million users. I will share more details when they are made available as of now , the exact attack vector is not known nor it has been shared by Quora or on any Darknet hacking forums which are generally first to tell.
Who and What was Hacked
Quora states that not all Quora user base has been compromised and only a 100 million user accounts were compromised. Details of data stolen by hackers include and not limited to this only :
- Account information (e.g. name, email address, encrypted password, data imported from linked networks when authorized by users)
- Public content
- User questions, answers, comments and upvotes
- Non-public content including answer requests, downvotes and direct messages
The amount of information compromised is not normal and it is a matter of time we will be using attacks on accounts of those users who have imported information from social media accounts … It is not over
What about Quora Anonymous Posts
You are safe , all those who posted anonymous questions , the link of those questions with the real profile has not been compromised (or atleast that is what Quora says and we have to believe them)
What Quora is doing about it
The data is gone , there is not much they can do about it. But they need to tell people that they are doing something so they have done the same , told us :
- Quora stated that they have hired the leading Forensic agency to identify how the hack was made successful
- They have informed Law agencies to pursue the case which might lead to the ‘attacker‘.
Yes Quora used the word ‘attacker’ and not ‘attackers’ so let see what we see in future
Every Quora User Account Security
Its a good thing that Quora came up with the hack disclosure and sent out emails to 100m users so atleast some might think that not all is lost, but I wouldn’t take their word for it and every quora user must do the following security precautions :
- Change your Quora Password by going into Settings and click on “Change Password“
- Change the Password Elsewhere , even if the password is hashed with a unique salt key its a matter of time before the passwords.txt file will have your password on a sales page. Change your password on other sites if you are using the same one
Google / Facebook Sign in , is an option which is provided by Quora to sign in and I also use the Google sign in option , this saves me from keeping a “Password” , although Quora has revoked access to the access tokens but, how about deleting the Apps from the settings ?
Google : Go to Google Account > Settings > Apps with Account Access and scroll to “Quora” under “Signing in with Google” and hit “Remove Access“
Facebook : Open your Facebook > Settings > Apps and Websites > Quora and check the box in front and click “Remove” . If you have used Facebook App to sign in , it means you have shared more than just your email or profile , you have shared your birthday[Why your birth date is important to Hackers] , city and current location and there is nothing you can do about it now. Maybe try not to use Facebook as a sign in option.
- Google : Go to Google Account > Settings > Apps with Account Access and scroll to “Quora” under “Signing in with Google” and hit “Remove Access“
Website hacks and data breaches will only increase and the amount of data we put up will increase thus increasing the threat the breaches have on us, we can only stay alert and follow best practices to secure our self , but Quora breach makes one wonder, why didn’t they ask the question on their own website “How to protect Quora from Hackers” 😉 .
Whats your take on this and how do you keep your passwords safe ?