Question and answer website Quora said Monday night that account data, including private messages, of around 100 million users may have been exposed after a “malicious third party” gained access to one of the company’s computer systems.
The breach was discovered on Friday, but only reported on Monday, in keeping with the 72-hour public disclosure window required under Europe’s new data protection regulations, known as GDPR. While Quora is headquartered in Mountain View, California, the company operates in EU countries, meaning it was required to report under European law.
Right now, the company is focused on notifying all users who may have had their personal data exposed — about one-third of the site’s accounts. The trove of data that hackers may have accessed includes names, email addresses, imported data from linked accounts, hashed passwords, and direct messages, said Quora's Chief Executive Officer Adam D’Angelo, in a blog post. He added that the direct messaging feature was used by a “low percentage” of Quora users.
Users who asked or answered questions anonymously on Quora, a key feature on the site designed to bring more candor around sensitive topics, were not affected by the breach, since Quora does not store the identities of people who post anonymous content, according to D’Angelo.
“We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust,” he wrote.
The breach is unlikely to result in identity theft, D’Angelo said, since Quora doesn’t collect social security numbers or financial information. However, it comes as Europe is enforcing strict new guidelines that require companies to swiftly notify authorities and users of a breach or risk facing fines as steep as 4 percent of their annual revenue.
In a security update sent to users on Monday night, the company said it was logging out all users who may have been affected and invalidating their passwords “out of an abundance of caution.”
The breach disclosure prompted some Twitter users to remark that they had forgotten about their Quora accounts.
With all of the recent data breaches, including a Marriott breach affecting as many as 500 million guests, one Twitter user jokingly shared the encrypted string of letters and numbers that he said would lead to his bank account and various social media accounts.
Why? “Because you probably have it anyway.”
Robert Siciliano, a security analyst at Hotspot Shield, said none of the data stolen would lead to “pure identity theft,” but cautioned that users should change their passwords.
“And, as with any email address leak, users should be cognizant of phishing attempts,” he added.