Quora, the popular question-and-answer website, announced late on Monday that 100 million of its users have become victims of a cybersecurity attack. Adam D’Angelo, Quora’s CEO, wrote in a blog post that the hacking attack was discovered on Friday and as a result personal data of the affected users has been exposed. Read some questions and answers below to inform yourself about the massive breach.

Q: In what way were users affected?

A: The compromised personal data includes users' names, email addresses and encrypted passwords. Public and non-public content and actions were also targeted by the hackers. This means that questions, answers, comments, upvotes, as well as requests, downvotes and direct messages have been accessed by a third, malicious party.

Interestingly, it turns out that some Quora users are unaware of the fact that they have accounts on the platform. This is the case as some social networks, like Facebook and Twitter, are linked to the Q&A website and use it for some of their games. Furthermore, Quora relies on the website traffic coming from browsers where people search questions. So, if you have been prompted to log in even once, to read just a single Quora forum, you do have an account. And yes, it might have been compromised.

Q: Were the 'anonymous' users somehow affected?

A: No. If you have used the platform without giving personal information to log in (e.g. you didn’t enter Quora via your Facebook or Google account), you are out of cybersecurity danger.

Q: When did Quora get to know about the hacking attack?

Reasonable question indeed, as we’ve witnessed cases where companies delay substantially their reveal of an attack – like this one.

A: Quora said that they understood about the data leak on Friday and started sending emails to warn and apologise to their users – on Monday.

Q: Is Quora doing something on the issue?

A: According to the official statement of the company, the following measures have been taken:

  • They are conducting investigation internally and with external experts to find their cybersecurity hole;
  • They are in the process of notifying users whose data has been compromised;
  • They are logging out all Quora users who may have been affected, for precautious reasons. If they use a password as their authentication method, Quora is invalidating their passwords.

Q: Can users do anything to protect themselves?

A: There are several steps you can undertake:

  • First of all, if you have become a victim of the hackers attack, Quora would contact you via email and would provide you with relevant details. The company’s general advice is users to change their passwords immediately.
  • In order to avoid using Quora through Facebook and Google, you need to disconnect social media accounts which have already been connected to the Q&A platform. Go to Your profile, choose Settings from the drop down menu, then Account from the side menu and scroll down to see Connected Accounts – choose 'disconnect'.
  • You could send an e-mail to privacy@quora.com asking for your data to be deleted.
  • And last, but not least, if you have questions, you can check if their answers are in Quora’s ‘Frequently asked questions’ page – here.

When it comes to technology, we all shall not be overly optimistic. People and organisations with malicious intentions are always looking for systems to compromise and sensitive data to extract and misuse.

As users, to make sure we are protected and on the safe side, we shall:

  • Use strong passwords (a long combination of lowercase letters, uppercase letters, numerals, and special character such as “@”, “$”, “~”);
  • Change all of our passwords frequently, preferably once a month;
  • Use different passwords for all your online services (in case hackers obtain the password for our account at one service, they will not be able to use it for our other services);
  • Use Two-Factor and Multi-Factor Authentication whenever we can;
  • not log in to third-party websites and apps using our social logins (such as Facebook login, Twitter login, Google account).

Companies, on the other hand, can and must:

  • Assess the vulnerability of infrastructure and systems - be it theirs or of their vendors;
  • Test applications - the ones they are building and the ones built by vendors they rely on;
  • Make security assessment integral to their development cycles.

Current developments in the information security field allow these processes to be run continuously and integrated seamlessly in any organisation.

We are available to discuss the options for your company.