
Quora User Data Compromised - joebeetee
https://blog.quora.com/Quora-Security-Update?share=1
======
dang
[https://help.quora.com/hc/en-
us/articles/360020212652](https://help.quora.com/hc/en-
us/articles/360020212652) contains more detail.

------
jacquesm
This is why I hate companies that force you to sign up to gain access to
content. I do not _want_ that relationship. Sooner or later those systems will
be legacy and then maintaining them will be a pain. Bitrot will set in and
sooner or later there will be a breach.

One new development is that you used to be able to get your invoices mailed
via snail mail. Then that disappeared and you got your invoices mailed via
email. Then _that_ disappeared and now you have to create an account on some
portal so that you can download your invoice. So that's one userid/password
combo per business relationship or service that you use privately. Healthcare,
HOA, insurance, payroll etc., every bloody two bit player requires you to log-
in to their oh-so-secure service rather than that they send you your stuff.
Which requires a ton of overhead and - sure enough - sooner or later they get
hacked because by then the amount of data they hold on to is more valuable
than their security could reasonably be expected to defend.

~~~
jedberg
I use privacy.com and Lastpass to help with this problem. Any time there is a
service I have to have a business relationship with that I don't trust to keep
my info secure, I use a unique password and a unique credit card number with a
tight limit. What's nice is that they tie the card to a single vendor too.

For example, the water company. I know the water bill is usually $50 or less,
so I set the limit to $60/mo. As it turns out, they _did_ get breached. I got
an alert about someone who isn't the water company trying to hit the card for
80 cents. Most card runners use amounts under $1 because most credit card
spending alerts have a $1 minimum. But privacy.com warned me, so I warned the
water company, who was very thankful. Turns out their 3rd party provider had
been breached and they were grateful for the alert too. Ended up saving a few
thousand of my neighbors a lot of headache.

~~~
jjoonathan
Lastpass has been going downhill with every acquisition and had gotten to the
point where autofill failed on the majority of sites and the "copy password"
menu item disappeared, bringing clicks-to-login from 1 to ~10.

A few weeks ago I saw bitwarden finish their third party security audit and
took the opportunity to jump. Couldn't be happier. Autofill fails less, the
"copy password" menu works, the mobile experience isn't intentionally broken
to sell an app, and export->import went without a hitch. Better, actually: it
is the first time I have done an export/import and had the resulting data
immediately work better in the second app. There's also the hope-springs-
eternal factor of bitwarden giving me the option to host the sensitive stuff
myself once I get off my butt and set up that server I've been meaning to for
a while now.

If you're thinking about lastpass, save yourself the trouble and try bitwarden
first. Or something else, but bitwarden has been good to me and lastpass,
well, hasn't, to put it politely :)

~~~
silasdavis
LastPass is one of my least liked most used tools. Everything about the
implentation feels second rate; slow, unreliable login capture, unreliable
form fill, occasional inability to edit records, buried password copy, clunky
UI, inappropriate modal nagging in browser and app... Most times I use it I am
cursing it.

I tried to switch to pass, and I'm not sure if it was something to do with how
I imported but it didn't list my passwords and the browser plugin was clunky
and didn't work. Anyone had success with pass/gopass.

Bitwarden seems like a happy Medium, I'd rather not do my password ops. The
pricing seems fair (and rather optional). I'll try it, thanks.

~~~
mrhappyunhappy
I have the same disappointing experience with LastPass and have grown tired of
it. One of these days I will do something about it!

~~~
stingraycharles
Check out Keepass! Rather than syncing directly into a Cloud, it allows you to
store a database file into any location. It supports MFA (e.g. by combining a
password with a secret file, or a Yubikey). And everything is open-source.

I like the model a lot, because it solves the "database ownership" issue,
where your Password provider (be it LastPass, 1Password, etc) becomes in
itself a weak link.

~~~
Cthulhu_
I used to use KeePass but the lack of a proper crossplatform UI eventually
broke it for me; KeePassX on linux looked and performed terribly, the Android
app was just bad, etc etc etc.

I switched to 1password which - at least at the time - offered a web-based
fallback hosted from your own dropbox. Plus at the time you owned the data and
were responsible for storing and syncing it. Dropbox support came out of the
box but if you want you can use a local file.

~~~
falcolas
Have another look at KeePass. They recently got a native Mac implementation,
and I seem to recall seeing a new one for Linux at the time.

On the Mac, KeePass now feels like a better experience than having to pay a
subscription for 1password.

~~~
jsmit
Or MacPass for macOS, which was a very slick alternative to the KeePass
application at the time.

------
throwaway66666
In 2013 a quora moderator contacted me and demanded that I provide my real
name, and information that my name is real or they would ban my account. I
tried reasoning with them, that I just wanted to view content and did not
attend to write answers or interact etc, plus, they had a valid email address
and facebook profile (also fake name on facebook). They fought back "we
actually want proof of your real name like a scan of ID". I danced around and
did not end up giving them a scan of my id, but I changed it to my real name.

Today my information is probably leaked. Information I didn't want to give and
that they threatened me for it.

Where is the apology Quora? From all the recent leaks this is the one that
pisses me off the most, because it's the one that was forced unto me.

~~~
PascLeRasc
Can I ask why you wanted to view Quora's content so much? They flood Google
search results but I've never seen a single substantial answer on there - it's
like an off-brand Stack Overflow with an even worse "I know programming so I'm
smart about every subject" problem.

~~~
xtracto
My experience with Quora answers has been that they are blatant ads from
people working on different companies.

Just search for anything like "what is an open source alternative to X" and
the results will be a lot of people trying to justify why their Y paid option
is a good solution for your problem.

~~~
ballenf
I quickly stopped using Quora after finding the answers consisted solely of
scam software (just didn't work), adware or stolen & rebranded software.

It seems to be popular with scammers and they have taken over.

~~~
dhimes
In other areas it seems like it's people working on their craft of writing
fiction, notably erotic fiction. Questions like "What's the naughtiest thing
you've done at work?" generate those kind of responses. Which is fine, just
don't expect me to believe it really went down like that.

------
orliesaurus
I really started hating Quora a while back, probably 3 years ago and stopped
collaborating. Most because "people" were spamming answers with marketing
bs... So many answers start with "I'm Bob, CEO of MyCompany.com, I am an
expert in this and that"

Most Quora users are hungry for answers and flood-request you to answer their
question just because the system recommends them to do so. No matter how many
times you pass, the system still keeps notifying you that "you are needed".
Quora doesn't understand a no is a no.

IMHO -> There truly isn't any benefit on providing good answers on Quora,
other than stroking your ego, might as well become a micro-influencer on
Instagram.

Even worse most questions seem truly 1-Google search away and the answers are
low-effort. Sure you do have some rare gems, and those are truly amazing to
read. Alas, that's not often and spamming answers just for the sake of
answering has become a reality.

~~~
Clyybber
I feel like questions like "Why is <insert my opinion here> true?" have become
increasingly common too. Thats like asking: "Please confirm my opinion, I
don't want to learn anything new!"

------
stickfigure
Wow. If this had happened a couple years ago, before they made all the
anonymous entries truly anonymous, this would have been _really_ ugly.

It's a valuable lesson in "don't keep data you don't need".

EDIT: A little backstory for non-Quorans. Until early 2017, anonymous Quora
answers and comments were anonymous to the public but not actually anonymous
in the database (they were still "your" entries). In early 2017 they
(presciently) made all this content fully anonymous, even in the database.

~~~
npunt
Their doc says:

> Is content posted anonymously still secure?

> Yes. Anonymous content cannot be connected to user accounts, so content
> posted anonymously is still secure.

[https://help.quora.com/hc/en-
us/articles/360020212652](https://help.quora.com/hc/en-
us/articles/360020212652)

------
throwaway292939
I feel that this is becoming a standard narrative. SV company comes up with an
idea, decides harvesting lots of user data is how they will monetize. VCs pump
in a lot of money and expect their returns, so company is now forced to
collect even more data aggressively (the sign-in wall that many others have
pointed out is an example of this). VC pressure causes company to "innovate"
fast, most likely trading off security for new features in the meantime. As
this progresses and they become more valuable, they are then targeted by
hackers, which causes some type of compromise of users' data.

Quora is an intimate medium — tied to real names, real and often deep
interests. It's especially bad that this happened.

There needs to be a better way to realign incentives in this ecosystem,
otherwise this story will repeat.

~~~
ttty2
I'm still amazed to this day that people give real names to their online
accounts. I'd never put my real name anywhere online. It works quite well for
me and if my data is leaked, I'm still ok. Probably I should use more email
accounts to don't be linked, but it's fine anyway.

------
sharkweek
At this point I am operating on the assumption that ALL businesses that have
my data are going to inadvertently leak it at some point, and thus I am
attemtping to provide individual companies with as little information about me
as possible.

The toughest ones here are my online banking and my online health portal, but
other than that, I have gotten pretty picky about what information I give any
company.

~~~
beefsack
This is a healthy mindset to have.

I feel that for every company that self-reports a leak, there are multiple
other companies that have leaked your data and either haven't discovered the
breach, refuse to disclose it, or flat out sold your data to the highest
bidder.

~~~
spydum
You would be correct. In the US, which I might remind you, does not have a
national law on the books regarding data breach notification. Even at the
state levels, it’s varies pretty wildly on top of, most notifications are only
required if there is evidence. So here is the challenge: what if I keep no
logs, and have terrible security monitoring capability? If I am notified or
discover a critical vulnerability on my own, but have inadequate logs to show
or detect if it was exploited... am I required to notify? I have been told no
(I fervently disagreed; I think suspected breaches, or critical
vulnerabilities which may lead to breaches but were inconclusive should still
require notification).

~~~
jwr
Still, I would have thought it is good practice to notify your users if you
leak their data to thieves. Quora did the right thing and should be applauded.

As a counterexample, it seems that Newegg had a massive breach (thieves
installed JavaScript that skimmed credit card numbers for weeks) in August,
and even though my credit card was likely stolen, I hever heard about it from
Newegg.

~~~
bigtunacan
Not sure why you didn't hear from Newegg, but they did send out a mass email
notification with details of the breach.

~~~
mtone
I somehow got their email a week or so after the event, and after my card's
fraud prevention called for suspicious activity, reverted the transactions and
cancelled my card. The bank official was not aware of the leak.

------
chmars
[https://blog.quora.com/Quora-Security-Update](https://blog.quora.com/Quora-
Security-Update) seems to be misleading, especially the introduction. They
start with 'some user data was compromised', however, it seems that for
'approximately 100 million Quora users' – that's basically all users! – all
user data was compromised …

In addition, many questions remain open, for example: Which ' leading digital
forensics and security firm' is working for Quora?

I hope for Quora that they met their 72-hour deadline according to the GDPR.
Looking at
[https://www.quora.com/about/privacy](https://www.quora.com/about/privacy), it
does not look if Quora was / is GDPR-ready. They do not mention any legal
basis for the processing (art. 13 GDPR) and they do not inform about their
GDPR data representative in the EU (art. 27 GDPR).

~~~
MattHeard
There can only be one digital forensics and security firm in the lead, right?
All of the other firms are trailing...

~~~
mLuby
This is more like "leading experts"––there's no "best expert". Just marketing…

------
MattBearman
I think at this point it should be standard practice to say _what_ hashing
algorithm is used in passwords when disclosing a breach.

The email I got from quota just says “encrypted” passwords, and while the blog
post says “hashed”, it doesn’t say what algorithm. For all we know it could be
something useless like MD5

~~~
ShinTakuya
It'd be useful in the sense that you'd be able to warn others, but for your
own password you should be using a password manager with auto generated random
passwords. That way the only thing you need to do is change one password on
the leaked site.

~~~
MattBearman
That's exactly my point. I use 1password to handle my logins, but most people
I speak to use the same password for everything, so knowing how likely it is
that other services could be compromised due to this is vital.

------
s3r3nity
So I'm not a security expert, so I ask this in real earnest to learn: what is
it that these companies keep doing wrong, and/or why aren't they adjusting to
the climate that these types of attacks are increasing over time?

Or are they trying to adjust, and the attacks are getting so sophisticated
that the pace of investment in counter-measures is below that of the pace of
advancement in the complexity of attacks?

Or something in the middle?

~~~
toofy
It’s a whole lot of things, but first and foremost and probably the simplest
explanation, security is hard. Incredibly hard.

Once you understand how difficult attack mitigation is, then you can pick and
choose from a variety of factors:

\- executives may not have a realistic understanding of how difficult attack
mitigation is so they don’t allocate the resources for hiring

\- incompetent admins overestimating their abilities

\- competent admins who are underfunded

\- incompetent admins who underestimate the value of the data they’re
protecting

\- competetent admins who may not have an accurate picture of what data
they’re trying to protect so their threat model is flawed due to inaccurate
information

\- executives who are aware of how difficult mitigation is but don’t place
customer data privacy as a priority.

\- the current iteration of our growth obsessed corporate models
unintentionally results in a race to the bottom in many ways.

\- little incentive for companies to factor in social impacts as we don’t yet
seem inclined to figure out a way to include impacts on society as _one of the
many_ metrics to measure a company’s success or failures.

It’s worth remembering though, even the most responsible, most well funded,
most security conscious, and best staffed organizations have been compromised
at one point or another—security is hard.

~~~
closeparen
An organization running original software on the internet first needs to be
preventing vulnerabilities in its own codebase. Nothing “admins” do is going
to help much if the application itself is full of SQL injection and direct
object reference. You can have impeccable configuration, firewalls, etc. and
not even be playing the game.

~~~
toofy
Absolutely. Apologies if I indicated my list were the _only_ possible issues
at play.

------
Jedd
It's genuinely hard to imagine a second-rate question and answer site could
have any credentials, or indeed any non-public content, that anyone else could
be interested in. From the list of what's been taken, it sounds like it's
mostly email and hashed passwords, though I suspect Quora's user base is not
entirely populated by people committed to a strict one-off password policy.

Happily I get to once again bemoan the disappearance of JCSV, who was
astounded that Quora was still a thing five years ago:
[http://jesuschristsiliconvalley-
blog.tumblr.com/post/4896203...](http://jesuschristsiliconvalley-
blog.tumblr.com/post/48962035819/quoraquoraquora)

------
manigandham
Seems like a complete database exfiltration. Quora advertisers also had info
compromised from a separate email notice:

    
    
      - Account information available on the Ads Manager account settings page.
      - The email address provided for notifications about your ad campaigns.
      - Campaign structure and setup, including information like budgets, schedule, bids, targeting, and ad information.
      - Notifications that were in your Ads Manager, such as ad paused, logo approved, and ad ready.
      - Audience setup information available on the Ads Manager audience page such as types and creation date.
      - Partial credit card information, including name, expiration date, and the last four digits of the credit card.

------
abraae
The Quora link to more details is a masterpiece of corporate obfuscation.
Posing as a FAQ, it presents questions, then proceeds to not answer them (at
least, as of a few minutes ago).

[https://help.quora.com/hc/en-
us/articles/360020212652](https://help.quora.com/hc/en-
us/articles/360020212652)

What happened? - not answered in any detail

What kind of user data was affected? - answered!

How do I know if I was affected? - not answered

How was it brought to your attention? - not answered

How many Quora users are affected? - not answered

~~~
codezero
All of these appear filled out now.

Quora is good about responding quickly, which should be appreciated. That the
FAQ wasn't fully filled out was just because it was being filled out. I know
this can be an awkward experience for someone who immediately sees and
responds to the tech news, but a bulk of their users won't be that profile.
They got the framework for response laid out immediately, and are working on
the responses. This seems pretty solid.

~~~
abraae
They were already filled out, but with non-answers. For example:

> When did you first learn of the issue? How was it brought to your attention?

> We first learned of the issue on November 30. Upon learning about the issue,
> we immediately launched a comprehensive investigation and remediation
> effort.

There is absolutely nothing in there about how this was brought to Quora's
attention. Did they see identities for sale on the dark net? Were they
approached for a ransom? Did a user inform them? Nothing.

The other questions ditto.

~~~
codezero
Ah OK – I read this wrong then. My bad. I am confident, or at least
optimistic, they will make improvements, if not, then I'll let you know how my
foot tastes.

------
niuzeta
No system is breach-proof; security breaches happen. We as engineers should
strive to reduce the break-ins and diligently push for high standards
nevertheless.

Having said that, this is pretty much a perfect response to the situation.

1\. Quick turnaround from the breach to the announcement 2\. Concise
description of what happened 3\. Owning the mistake 4\. Update of their
mitigation 5\. Promise to follow up & actionable items. 6\. Additional
technical detail for more interested: [https://help.quora.com/hc/en-
us/articles/360020212652](https://help.quora.com/hc/en-
us/articles/360020212652)

It sucks that this happened, but for that alone I'd like to applaud Quora
team. Yes, it would've been _great_ if they didn't have to force me to sign up
from the first place. It would've been great if this breach has never
happened. But for the context, they're handling the issue as well as possible.

------
ulfw
This is all bullshit. My data is all over the place. At this point I expect
none of my personal data to be private. This last few weeks alone my data was
stolen from British Airways, Cathay Pacific, SPG/Mariott, Quora. As users we
are completely powerless.

Time for change. Time for intelligent heads to come together and think of how
a better internet security architecture needs to look like.

~~~
swarnie_
I wonder how easy it would be to piece together all these breaches with any
degree of accuracy to build a "complete picture" of an individual.

Say your name, email address and social get leaked in one 500m user dump and
your email passport number and actual address in another. I've never worked
with datasets on this scale hence the ignorance.

Maybe its possible for one person of interest but how complicated would it be
to match up everything?

~~~
colinbartlett
I’ve oftened wondered if I am helped by my practice of using
[servicename]@[mydomain.com] for each service I sign up for. I used to do it
to help control and track spam, then I stopped when spam stopped becoming an
issue. But now I feel like no longer having a single unique key to correlate
my data across different leaked data sets might also be a benefit.

------
brad0
Exposed Data:

\---

Based on what we have learned, some of our users’ information has been
exposed, including:

\- Account information (e.g. name, email address, encrypted password, data
imported from linked networks when authorized by users)

\- Public content and actions (e.g. questions, answers, comments, upvotes)

\- Non-public content and actions (e.g. answer requests, downvotes, direct
messages)

Questions and answers that were written anonymously are not affected by this
breach as we do not store the identities of people who post anonymous content.

~~~
thomasfromcdnjs
From an email I got

\---

What information was involved

The following information of yours may have been compromised:

Account and user information, e.g. name, email, IP, user ID, encrypted
password, user account settings, personalization data

Public actions and content including drafts, e.g. questions, answers,
comments, blog posts, upvotes

Data imported from linked networks when authorized by you, e.g. contacts,
demographic information, interests, access tokens (now invalidated)

Non-public actions, e.g. answer requests, downvotes, thanks

Non-public content, e.g. direct messages, suggested edits

Questions and answers that were written anonymously are not affected by this
breach as we do not store the identities of people who post anonymous content.

------
EamonnMR
I always found Quora's demand that I make an account merely to read, like
Pinterest, extremely rude. I don't think I ever gave in and made an account
but I suppose I can find out now.

------
bigiain
Interesting (to me, at least) that the regular Quora update emails land in my
inbox (or in the Social tab in Gmail, anyway), but the security breach
notification was spam filtered...

~~~
elorant
Well they probably sent a shit-ton of emails in a short timespan to notify
most if not all users which could have triggered spam algorithms.

------
gwbas1c
I recently got an email from Quora, "you read XXX, did you find what you're
looking for?"

I don't want every site that I visit sending me an email every time I click on
a Google result.

I hit that SPAM button as fast as I could.

------
antirez
That's lame, but there is to always remember that information leaks are
happening in almost every company out there. The way we build and run systems
is no adequate, unless very large efforts (like in the case of Google) are
made in order to try to limit the attack exposure, but this is not for
everybody cost-wise IMHO. Makes more sense for companies to limit the amount
of data they ingest. In this regard it's very bad that Quora or Linked-In
force you to login just to see content. As a user, if you want to live under
correct expectations, assume that your real name and profile picture, and
possibly an hashed password, are always automatically leaked.

------
breckuh
> ...there’s little hope of sharing and growing the world’s knowledge if those
> doing so ... cannot trust that their information will remain private.

Here's a crazy idea, circa 1990's: don't store their personal information!
Allow people to browse Quora without using their real names. I'm very happy I
deleted my Quora account when I did.

~~~
9dev
So you're under the impression Quota actually deletes all information related
to your account when you click on delete? I'd be surprised.

------
thwy12321
My take on Quora and business like them:

They are hiring people based on leet code questions and school prestige and
not based on real technical knowledge about systems. Their business people are
top school MBA grads with no security domain expertise. They then proceed to
build massive data collection programs using open source tooling that non of
them fully understand. Their business model depends on that data and
monetizing it in various ways. An so the complexity of their application goes
through the roof with regards to user data. Their user facing web apps are the
tip of the iceberg for a massive surveillance scheme.

~~~
amrx431
> They are hiring people based on leet code questions and school prestige and
> not based on real technical knowledge about systems

Isn't that true for almost all companies based in the Sillicon Valley?

~~~
thwy12321
The big companies, Google/Fb/etc hire that way but they also bring on niche
experts. Leet code at those companies is for the code monkeys. They hire the
people writing the ML/distributed systems/security code out of PhD programs
and targeted hiring. Theres more to it, dont feel like typing it all up

------
Bucephalus355
One thing I would like to do is have various US Senators send letters to the
major corporations, and perhaps even large open source groups (like npm), and
ask them, proactively, what they are doing to secure citizens around the
world's data.

There is something called the Cybersecurity Bipartisan Caucus in the US
Senate.

I have found calling these senators (which I have never done before for any
politician about anything) extraordinarily helpful and gratifying. I have even
explained that I don't live in their state, and yet they still listen and
clearly need the advice from good security/sysadmin people (like asking them
why Facebook still doesn't have a CSP Security Header).

It was only 6 days ago that the "International Committee on Privacy", made up
of Senators from countries around the globe, met in London to question Richard
Allan, VP of Privacy at Facebook. Mark Zuckerberg rejected the request for his
attendance.

[1]
[https://www.warner.senate.gov/public/index.cfm/cybersecurity](https://www.warner.senate.gov/public/index.cfm/cybersecurity)

[2] [https://www.parliament.uk/business/committees/committees-
a-z...](https://www.parliament.uk/business/committees/committees-a-z/commons-
select/digital-culture-media-and-sport-committee/news/grand-committee-
evidence-17-19/)

[3]
[https://www.youtube.com/watch?v=1P97ubLDbJI](https://www.youtube.com/watch?v=1P97ubLDbJI)

------
rahimnathwani
It's strange that:

\- the linked article says the breach included hashed passwords, but makes no
mention of salt

\- the help page says they're forcing affected users to change their passwords

If the passwords were salted before being hashed and stored, then:

\- Why not mention it, so users (especially those who don't use unique
passwords on every site) know that it's not trivial for their password to be
found?

\- Why force people to change their passwords?

~~~
MichaelDickens
From the email that I received from Quora:

> the passwords were encrypted (hashed with a salt that varies for each user)

Looks like the article says the same thing.

~~~
rahimnathwani
At the time I posted my comment, the web page said:

encrypted password (hashed)

Now it says:

encrypted password (hashed using bcrypt with a salt that varies for each user)

------
mindcrime
The folks asking for snail mail are joking right? Snail mail is an obsolete
relic of a time gone by, and belongs in the dust-bin of history alongside
buggy whips, wood fired steam engines, betamax, etc.

Personally I'd pay to be able to _stop_ getting snail mail. If it weren't for
the one or two rare pieces of semi-important crap that show up, sent by
dinosaurs that don't realize we aren't living in the 20th century anymore, I'd
quit checking my physical mailbox once and for all. I mean, it's not like
99/100'ths of what comes in there isn't junk catalogs, fundraising letters
from politicians I hate, sales flyers from stores I hate, bills that I pay
online already, mail meant for the previous residents, etc. But unlike email
spam, it actually costs me effort to scrape that garbage out of the box and
haul it to the dumpster.

Blech. Personally, I want no part of it.

------
cornstalks
> encrypted password

I hope they mean hashed, not encrypted.

~~~
guscost
Did a double take at this too, but they clarified that it means “hashed with a
unique salt” later on. Not a good word choice for a summary though!

~~~
hunter2_
They do indeed, but then for some reason, they also say "this breach may have
exposed ... the password you used" [0] which is a statement I think is wholly
incompatible with the notion of "hashed with a salt that varies for each user"
(but please let me know if I'm incorrect).

They can rightfully say "encrypted" to a lay audience because the definition
of encrypted is not so strict as to require decryptability, but why would they
say that the password might be exposed?

[0] [https://help.quora.com/hc/en-
us/articles/360020212652](https://help.quora.com/hc/en-
us/articles/360020212652)

~~~
varenc
It's reasonable your password might be exposed since the attacker can now
perform an offline brute force attack on the password hashes.

How likely it is your password gets brute forced really depends on the hash
function used. If it's md5... all but the strongest password could be broken.
(though at least the passwords were salted). If they're using something like
bcrypt with a work factor of 10+, it's a different story and only the weakest
passwords are at serious risk.

The fact that details on the hashing scheme aren't shared makes me assume it's
not great...

------
spike021
>I didn’t know I had a Quora account. How is it that my email or information
was exposed? You may have signed up for Quora some time ago. While you might
not have regularly visited or used Quora, your account remained, and this
breach may have exposed some of your information, such as the email address
you signed up with, the password you used, or actions you took on Quora.

Would be nice if websites measured user activity and could 'lock out' or
otherwise release their data if they never use the site; at least, confirm
with said user via email if the account is needed.

But in this era, I'm sure companies would prefer to keep whatever data they
can get.

~~~
MrStonedOne
Byond (2d tile/sprite based online gaming platform) does this. After a year of
no activity they inactivate your account, and delete the hashed password. You
have to reset your password to regain access.

------
MagicPropmaker
In other cases customers have had trouble filing individual lawsuits for
damage because the companies successfully argue that the information--usually
credit information--doesn't belong to them, it belongs to the credit card
companies.

However, in this case, there is no credit card information to muddle up or
confuse a case. It's only a users personal information--private messages,
moderator requests, reports against other users--that has been compromised
because they didn't collect credit card info. And there's an enforced "real
names" policy that makes it identifiable.

------
xiphias2
From reading the details it looks like almost all user data (and every user's
data) is compromised. Using the word ,,some'' should be illegal in this
instance.

------
sn41
Is Quora legally liable for compromised data? Making companies legally liable
for compromised data might be one way for them to be scrupulous about minimal
data retention.

------
skilled
Actually, I was looking at an answer last night and couldn't see it because my
account was logged out. This happens on Chrome from time to time, so I didn't
think much of it. But, when trying to log back in it said my password was
incorrect. This was before the announcement.

I wonder if some had their details reset altogether? Either way, this looks
like a major breach considering the value of people who have signed up with
Quora.

------
productdev
Quora would not allow you to read multiple answers by clicking on "similar
questions" (on the side) without creating an account.

And then this happens!

~~~
vtesucks
Valid point. If you're aggressively farming data, so much so that you log them
in automatically if they are logged into the google account then you better be
careful with data too

------
bogomipz
The post states:

>"We recently discovered that some user data was compromised as a result of
unauthorized access to one of our systems by a malicious third party."

"Some user data"

Then goes on to say:

>"For approximately 100 million Quora users, the following information may
have been compromised:

Account information, e.g. name, email address, encrypted (hashed) password,
data imported from linked networks when authorized by users Public content and
actions, e.g. questions, answers, comments, upvotes Non-public content and
actions, e.g. answer requests, downvotes, direct messages (note that a low
percentage of Quora users have sent or received such messages)"

Wouldn't this be closer to "all user data was compromised"?

It seems absurd for them to state "some user data was compromised." That's
seems like a pretty comprehensive list of user data. What else would there be?

This is a company that for years forced account sign up and obscured user
generated content even for users who just wanted to browse unless you created
an account. Seriously fuck Quora.

------
pandler
I've started keeping a log of all information I provide to a company:
addresses, phone numbers, names, social security number, etc... I started
doing it just to keep track of everywhere I need to update next time I change
address, phone, cards, and emails at the same time[1], but it's been eye
opening to watch the list grow.

I think of it as something like a reverse password manager; instead of "here's
a website, what's my data", it's "here's a bit of information about myself,
who has it?"

It's a pain keeping that list updated but at this point I'm so hooked on being
able to see my personal info leak out into the world bit by bit that the
friction is worth it.

I'm still trying to figure out what I should do with the data I have on
myself, if anyone has any suggestions.

[1] That situation seems sketchy seeing it written down like that, so just
want to explain that it's because I moved to a different country (address,
phone, credit cards) and away from gmail at the same time.

------
the_clarence
How were the passwords hashed? Wait. You know what? At this point it doesn’t
matter. Using the same password everywhere is a broken concept and password
managers are still unadopted. At this point the only solution is either SSO
from a few point of trust (facebook, google, twitter, etc.) or/and password
managing+generation by default (safari, iOS)

~~~
mehrdadn
> At this point the only solution is either SSO from a few point of trust
> (facebook, google, twitter, etc.)

No, that's what made OpenID awful. Your accounts all go down if one those
"points of trust" get taken down for whatever (or no) reason.

~~~
the_clarence
It does suck. What I’m saying is that security for the people is not getting
much better than that atm.

------
nojvek
I hate Quora for the dark pattern practices of forcing you to login before you
can see anything.

In a way this is a great example of why you shouldn’t collect data Willy
nilly.

I really really really hope we get some sort of a law where companies are
seriously liable for data breaches.

US has a ton of tech companies but very little regulation that protects the
customer.

------
throwawayquora
Are there any details about how the passwords were stored? "Encrypted" is a
bit questionable. I'd expect hashed.

~~~
varenc
They clarify that the passwords were indeed hashed and salted. "Encrypted" is
just there to help the non-technical audience understand their passwords
aren't exactly leaked in plaintext.

No details on the hashing scheme used though, so we don't really know how easy
it'll be for the attacker to brute force the password hashes.

~~~
tootahe45
Because they didn't mention it, and the age of the site makes me think it
isn't something we'd consider secure.

------
tschellenbach
I've always been impressed with Quora's engineering team. Kinda curious what
slipped passed them.

------
tlow
This is seriously distressing. This underscores the reasons why you should
never use a third party messaging system for any sort of private
conversations.

Why is this so easy? Is it impossible for a well-funded company to keep it's
user information private? If so, can we act like it?

------
iharhajster
Several friends and I had our Steam passwords stollen. Lesson I learned was
not to have same password to more than one service because gmail account was
hijacked too. The perpetrator stopped at changing gmail language to Polish,
thank God. But, damage he/she could have done was much greater. It was before
"login attempt from unknown location" messages. It was a drag to bring all
back but we did it. The lesson also is: joining any online service/site we
must accept the risk anything you provide could be stollen at some point and
modify our usage phylosophy of these services.

~~~
ngokevin
2FA when possible as well. Both Steam and Google offer this.

------
Cyclone_
This is another reason why I don't like the "social logins". You give them so
much data. They strongly encourage you to use the social login instead of
using the regular email sign up.

~~~
ec109685
At least your password won’t be exposed in that case.

~~~
akho
It will be, once fb/google is breached (which will happen eventually). The
consequences for you will be far more unpleasant.

------
josefresco
I received an email from Quora informing me of the breach, but I do not have
an account. I even used the "Forgot Password" function to confirm - why did I
receive this email?

------
z0r
Bruce Schneier says data is a toxic asset. He's right. There should be (will
be?) laws preventing collection of most data, and punitive liability when
collected data is breached.

------
rv-de
> While the passwords were encrypted (hashed with a salt that varies for each
> user), it is generally a best practice not to reuse the same password across
> multiple services, and we recommend that people change their passwords if
> they are doing so.

According to my trusted Password Safe
([https://pwsafe.org/](https://pwsafe.org/)) I call about 400 accounts my own
- each one with a unique random password.

------
abbot2
1\. Force everyone to register to get access to content. 2\. Leak that data.
3\. ... 4\. Profit. Not sure how this part works though.

I hope lesson should be learned: don't force users to register just because
you can

~~~
YetAnotherNick
I see no lesson to be learned from the business perspective. If equifax can
recover from their data loss, any company can.

~~~
mulmen
Well equifax didn’t harm any of their customers so their bounce back should be
no surprise.

~~~
zbentley
I'll bite. How did they not harm their users?

~~~
mulmen
Equifax’s customers are whoever pays them for access to data. Their customers
are not the people who had their personal data exposed.

The first rule of Web 2.0 is still true: if you are not paying for the product
you _are_ the product.

~~~
zbentley
It costs me money (past a certain number of freebies) to access Equifax's data
on me--to get a credit report.

I get that this is not their main business model, and that their customers
that they bundle and sell consumer data to are more valuable. But end users,
in this case, are still customers. They still pay money and get a service in
return. Contrasted with e.g. Google services, it's a different scenario.

------
King-Aaron
I somehow got added into the Quora ecosystem some time back, without even
actually signing up from memory. Just one day I'm getting notifications that
someone is talking to me on Quora.

Even though I didn't explicitly set up an account, it seemed to have done it
for me already. I just assumed it was one of those shitty content aggregation
platforms like the sorts that steal all the posts from Stackoverflow and
rebrand them.

------
ausjke
From now on, I will assume all my user-data will be compromised, we need a new
way to store the user-data, it will be a balance of convenience and security,
but more importantly, it needs to be temporal, i.e. the use-data shall not be
static anymore, something like a virtual and temporarily generated password
for each session?

------
blablabla123
It's quite obvious that Quora doesn't care a lot about user data. Just for
looking at the website, you need to login with Facebook and in fact other
users could at some point even see which parts of the site you browse to
without informing you. Kind of sucks, luckily deleted my account half a year
ago.

------
thosakwe
Is it really that hard to keep a database secure?

Genuine question - not sarcasm. I would love to know how the attackers got in
in the first place.

Usually when I hear about a breach, my first reaction is “yeah, I would have
covered that from the start,” but if there’s something to be learned here, I’m
all for it...

~~~
codezero
Yes it is, when you have the surface area of a company like Quora, or even a
much smaller company.

I worked at Quora, and totally unrelated, at my current company, had the
opportunity to source and be point on multiple penetration tests. At my
current company, I work with some people I consider extremely competent at
SQL, and in particular PostgreSQL, but that didn't stop the pentesters from
finding SQLi in our code. It sneaks in, and all it takes is one fuck up for a
hacker to go to town.

I think that most startups don't understand the value of dropping 20-30k on an
engagement with a competent pentest company, and this can propagate even
longer into an org to the point that they never bother to get outside testing.
Don't fall into that trap. Having a third-party with eyes on your org is worth
every cent. If you run a startup or aspire to, I highly recommend you consider
getting a pentest when you have ~5M ARR, and continue to do a yearly
engagement to make sure your shit is covered until you can afford a full time
security staff.

------
revskill
What's bad about Quora website is that, whenever you see Answer notification,
when you click on it, instead of a popup for quick review, the website will go
to new url for the answers. That's why i don't use Quora much these days due
to the stupid UX.

------
reitanqild
Feels good to have left Quora and gotten confirmation that they'd wiped my
account shortly after they hit mainstream. (Cannot remember exactly what
happened but I think they defaulted to showing every question I visited in my
public timeline or something.)

------
peter303
The game of large numbers: so hackers obtain a million passwords. How with
they decide to waste their time on any of them? In Quora's case that requires
real identities and institutional affiliations will they go after the cream of
the crop then?

------
pavanlimo
Clearly this is well orchestrated and professional. I'm wondering what could
be the motivation for such an attack. There is no monetary benefit whatsoever.
Perhaps some AI company wanting to acquire solid data to train their models?

~~~
askafriend
Rumors are that it was a disgruntled ex-employee.

~~~
thwy12321
Really? Do tell

------
NietTim
I didn't even know I had a quora account. Never continuously registered one.
Got the e-mail though. Tried to log in, had to "complete my account" before I
could go on.....wtf.... I deleted my account now, tho.

~~~
aczerepinski
I knew I had an account but it was via oauth and I had to create a "real"
quora account in order to delete it. The notice that they were storing
contacts from other social networks was the part that pushed me over the top
towards deletion.

~~~
NietTim
This must have been it. Still not sure at which point I've ever logged in to
quora, but I can't think of any other explanation

------
rblion
I haven't used Quora in over a year. It's been overrun with gurus.

------
MrStonedOne
No mention of hashing algorithm for passwords, so until they provide that
info, I would just assume they hashed with unsalted md5 or sha1 or even crc,
and treat it as if they had stored them in plain text.

------
magnamerc
The solution to data security is incorporating security at the base layer,
i.e. [https://universallogin.io/](https://universallogin.io/)

------
sambe
Is there an email notifying all users of the incident and a separate email
notifying those affected, or just one?

Many companies seem to use intentionally vague wording to suggest you might
not have to worry.

~~~
Dreami
I too got one email and I'm not sure now if I'm affected (I got the same
content as on the website in this email)

------
CiPHPerCoder
> Account information (e.g. name, email address, encrypted password, data
> imported from linked networks when authorized by users)

Quora encrypted passwords instead of hashing them? FAIL.

------
wenbin
This is the email that they sent to users:
[https://nfil.es/w/kHYd7t/](https://nfil.es/w/kHYd7t/)

------
Chazprime
I think we’re at a point where it’s safe to assume most of our data can be
collated into a frighteningly thorough profile of our lives for anyone on the
internet to see.

------
buboard
Not gonna shed a tear for the self-important people who wanted to slap their
wisdom on everyone signed with their real name. It's as much a failure of
quora as it is their own.

Anyone remember the glory days of facebook , when real names were
"revolutionary" and all the rage? Quora followed that cargo cult (founded by
facebook people, after all) and the consequences of that choice are due today.
We really need to introduce the concept of "expiring data" on the internet,
personal or not. After a reasonable amount of inactivity, identities shuold be
anonymized.

------
jcampbell1
They need to release their hashing algorithm. If it is some sha1+salt
nonsense, then they have exposed plaintext passwords for most of these people.

------
axiom92
[https://xkcd.com/1269/](https://xkcd.com/1269/)

Just be a nihilist, guys.

~~~
pier25
or a sage

------
mychael
I'm angry at them for this, but more angry at myself for not deleting my data
years ago when I stopped logging in.

~~~
system2
I am angry at myself for signing up for this stupid quora. Nothing but
advertising of offshore "web developers" explaining how their "product" can
solve the "question" they asked with their fake accounts.

I would love to punch the CTO of this company in the nose with passion.

------
lmilcin
"encrypted (hashed) passwords"

Was it hashed AND encrypted or another case of people not understanding the
difference?

~~~
invalidusernam3
Seems like "encrypted" is in there for laymen and "hashed" being a
clarification for more technical people. In the post they say: "... the
passwords were encrypted (hashed with a salt that varies for each user) ..."

~~~
lmilcin
In that case how laymen are ever going to learn if we use incorrect words to
make them feel safer?

"Ah, they were ENCRYPTED so I don't have to worry"

The thruth is they are most likely already reversed.

------
fouric
Does Quora still have a real name policy?

~~~
manigandham
Yes, but they also allow organization accounts now, and they're rather slow at
dealing with spam so around half the people you see are using fake names.

------
Jenz
This is Why I’ve gone over to using a proper password manager, with unique
passwords for all accounts

------
break_the_bank
Can anyone explain how is Quora still relevant? How did they raise the $85M
for their series D only last year?

To me it seems its going the way of Yahoo Answers, if it already hasn't. It
might be gaining some traction in developing countries but the ratio of
signal:noise seems really low at this time, coupled with terrible UI.

------
sombragris
No announcement for me, but I cannot login no matter what I try.

------
zerop
This is one reason I dont write anonymous answers on Quora....

------
robbiemitchell
Advertisers had their campaign data compromised, too. Yeesh.

------
steve1977
Maybe they asked how to do website security on Quora...

------
rishikeerthi
Is anonymous question or answers also compromised?

------
onion-soup
This is why services like metamask will take over

------
sj4nz
This was a nice reminder to delete my account.

------
snek
quora already sells your data to as many third parties as possible... i don't
suspect this changes much.

------
nistak04
can they ask if their data was compromised on the question&answer site?

------
foobarbecue
And now they're 504ing...

------
dreyfiz
I'm experiencing a sense of schadenfruede because I'm embittered by Quora's
arrogant "real names" policy. They won't "let me" contribute.

Nothing insightful. I'm just here to kick them while they're down.

~~~
mirimir
It's not _that_ hard to be as anonymous as you like on Quora. It's been a
while since I contributed, because I got tired of their schizophrenic
moderation, but I don't recall that mobile text authentication was necessary.
Unlike say, Twitter. And even that isn't all that hard to get around, using
hosted SIMs.

~~~
dreyfiz
It's impossible for me to be as anonymous as I like on Quora, because they
require a government ID with the name I want to use. Which isn't even that
weird! It's my legal last name, plus my childhood nickname for a first name.

Your name just didn't provoke their Real Name Gestapo.

~~~
mirimir
Huh. Good to know, thanks.

------
johnmc408
Who is getting fired? Oh that's right, no one...

~~~
johnmc408
Just got my email from Quroa...Who writes this drivel:

Conclusion

It is our responsibility to make sure things like this don’t happen, and we
failed to meet that responsibility. We recognize that in order to maintain
user trust, we need to work very hard to make sure this does not happen again.
There’s little hope of sharing and growing the world’s knowledge if those
doing so cannot feel safe and secure, and cannot trust that their information
will remain private. We are continuing to work very hard to remedy the
situation, and we hope over time to prove that we are worthy of your trust.

~~~
Puer
Some poor peon at the bottom of the ladder instead of the engineers/managers
actually responsible for the mistake. The great thing about being at the top
is being able to delegate away blame. After all, it's your job.

~~~
TylerE
Much more likely some highly paid PR flack, likely with corporate counsel
sitting adjacent.

------
ranpr0
Quora is an absolute shit show. It won't allow you to read content on mobile
web EVEN WHEN YOU ARE SIGNED IN! To top it they disallow any screenshots of
the same! Check here
[https://pbs.twimg.com/media/Dc-9ldcU8AUr23v.jpg](https://pbs.twimg.com/media/Dc-9ldcU8AUr23v.jpg)
[https://pbs.twimg.com/media/Dc-9ldbVAAALJfX.jpg](https://pbs.twimg.com/media/Dc-9ldbVAAALJfX.jpg)

Even though I have been a heavy quora user (reader and contributor), I would
be really happy if it died a really painful and stupid death

~~~
ssnistfajen
Zhihu (Chinese offshoot of Quora) does the exact same shit on mobile as a way
to force users to download their app (which pushes a ton of ads plus other
frills). Looks like they got their full playbook from Quora.

------
RoadieRoller
Barely a month back in the facebook data breach thread in HN, I was downvoted
and my comment removed when I said that it has become a fashion for the top
500 web/e-com companies to come one day and announce data breach and walk
away. I said there that it all looks to me as part of a conspiracy theory
where they hide behind a breach to sell data/ buy data en masse for marketing
purposes.

~~~
wpietri
I don't think large companies have much interest in _selling_ data. It's a
long-term asset. The real money is in renting. E.g., Google and Facebook make
a lot of money renting access to you based on the data they have. That's far
more lucrative than selling the raw data once.

Also, it's implausible to me that selling the data wouldn't come out
eventually. As we saw with Cambridge Analytica, even pretty obscure uses of
data can eventually turn into giant media exposure for privacy breaches. The
brand damage is is very expensive. Facebook's market cap is down something
like $100 billion; there's no way they could have made that kind of money from
trying to quietly sell copies of their data.

