Quora hack leaves details of 100 million accounts exposed

Q. Why did this happen?

Graham Cluley
Graham Cluley
@[email protected]

Quora hack leaves details of 100 million accounts exposed

It’s not a site that I use often, but I woke up this morning to discover that overnight I had received two emails from Quora.

Turns out that over the years I have created two accounts on the Quora question & answer website, which means that I actually received two email notifications from them that they had been hacked.

And I wasn’t the only one surprised to hear from Quora.

Sign up to our free newsletter.
Security news, advice, and tips.

Part of the email reads as follows:

Quora email

We are writing to let you know that we recently discovered that some user data was compromised as a result of unauthorized access to our systems by a malicious third party. We are very sorry for any concern or inconvenience this may cause. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.

What Happened

On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to our systems. We’re still investigating the precise causes and in addition to the work being conducted by our internal security teams, we have retained a leading digital forensics and security firm to assist us. We have also notified law enforcement officials.

While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.

According to an advisory and FAQ published by Quora, approximately 100 million Quora accounts may have had their information accessed by hackers. (Even if some Quora users had more than one account like me, that’s an awfully large number).

The information accessed by the hackers includes:

  • Account information, e.g. name, email address, encrypted passwords (hashed with a salt that varies for each user), data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

If you were wise enough to post questions and answers anonymously then you are not affected by the breach.

Quora users will be prompted to reset their passwords at their next login. Or you can delete your account which will erase your profile, messages, comments, and answers you have posted. The site will, however, retain any questions you have asked on the site (albeit disassociating them publicly from your name).

I’m certainly going to consider deleting my account, as I barely remember using the site. The smaller the number of websites that are retaining your personal information the better.

Whether you deactivate your account or not, please be sure to check that you have not made the mistake of reusing the same password on multiple websites. It’s a recipe for disaster. If you have a question about how you are supposed to create and remember strong, unique passwords for all of the websites you access I have a simple answer for you: get a password manager.

To learn more about password security you can do a lot worse than listen to this episode of the “Smashing Security” podcast:

Smashing Security #099: 'Passwords - A Smashing Security splinter (replay)'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Quora hack leaves details of 100 million accounts exposed”

  1. Michael Wosnick

    I was one of the ones who also got these e-mails. I was less worried about any Quora "questions" I have ever answered there as I was about the part where they reference "data imported from linked networks when authorized by users". Does this mean that if you logged in via Google, for example, that your Google credentials have potentially been compromised? Not sure how that part works…..

  2. Jim Dibb

    I deleted my account, which was connected via Google. It was also the push I needed to get myself out of there. So many inane, poorly asked, easily Googled and or trolling questions it was more like watching a train wreck than anything else. I do have to say I have great respect for a lot of the answer authors that put so much time into reasoned, detailed and highly technical answers to often idiotic questions. From Quora I learned that, in fact, there ARE stupid questions. Love the podcast!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.