Personal information of up to 100 million Quora users may have been compromised after a hacker gained unauthorised access to one of the social media platform's IT systems, forcing the firm to log out all affected users and to invalidate their passwords.
The massive breach was announced earlier today by Adam D'Angelo, the CEO of Quora, who said that the unauthorised access to one of the company's IT systems may have compromised names, email addresses, encrypted (hashed) passwords, and data imported from linked networks of approximately 100 million users.
Considering that Quora boasted over 300 million users by September this year, the data breach may have directly impacted at least one in three Quora users globally.
Data breach compromised a lot more than just PII
D'Angelo added that aside from personally-identifiable information, other data such as questions, answers, comments, and upvotes as well as non-public content such as answer requests, downvotes, and direct messages of up to 100 million users were also compromised as a result of the breach.
"On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems. We're still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.
"We’re in the process of notifying users whose data has been compromised. Out of an abundance of caution, we are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords," he said in a blog post.
"We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements. We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed," he added.
The breach was the first major security incident suffered by Quora since its birth, but it did suffer a minor embarrassment in 2016 when a hacker group named OurMine, which calls itself a "security firm", hacked into the Quora account of Google CEO Sundar Pichai and posted several messages to his account.
Firms need to be more pro-active to secure their data
Commenting on the massive security incident suffered by Quora recently, Sam Curry, chief security officer at Cybereason, told TEISS News that the potential attack surface that corporations have to protect is a lot bigger and wider than it was just a few years ago, and this plays right into the hands of hackers. It is through persistence and patience that most adversaries are successful - try and try again until you are successful.
"This leaves corporations with the responsibility to implement a new offensive mindset and to very specifically take the fight to the adversaries. putting them on the defensive. Something has to change, because a hacker only needs to be right once to successfully compromise a corporation, while the defenders have to be right 100 percent of the time to avoid making headlines for the wrong reasons," he added.
Joseph Carson, Chief Security Scientist at Thycotic, said that the Quora incident demonstrates the risks of how organisations are collecting and storing sensitive personal information without clearly following security best practices on securing and protecting the data they have been entrusted to protect. Organisations needs to really prioritize data risk assessments and access controls to ensure the data is protected from easily compromised accounts.
"What is really concerning about this breach is how common organisations have used social logins to create news accounts and in doing so the customers allow access to their social media accounts which sometimes includes friend contacts, check-in information and more detailed contact information beyond what you would normally include when creating accounts. Another day of password resets will continue to cause cyber fatigue and it’s very likely that the passwords exposed here are the same passwords people are using for their corporate email account or even their bank account as password reuse is the biggest risk that people take today," he added.