Passwords of 100 Million Quora Users Are Exposed During a Data Breach

Quora.com is a popular question-and-answer website where users gather to share their knowledge or gain information and advice from more experienced members. Sadly, the site was unable to avoid a data breach as the company reported their systems were attacked on the last day of November. As a result, it made it to the list of companies that were unable to protect their users' privacy, such as Facebook or Amazon. Of course, Quora is concentrated on minimizing the possible damage and preventing such attacks from happening in the future.

What information was accessed during the data breach

According to the Quora report posted on the company's blog, the hackers might have been able to access account information of around 100 million users during the data breach. Account data includes the user's name, email address, hashed password, and data imported from linked networks (authorized by users). At this point, it is essential to explain what a hashed password is. Similar to the encryption process, hashing transforms passwords into random characters to prevent hackers from retrieving them during unauthorized access to the passwords' database. Quora's team explained the company used the so-called bcrypt hashing, which incorporates salting (adding random data at the end of hashing to make each hashed password more unique and random). This is good news because deciphering such passwords might be expensive and time-consuming, which means it is possible it might take some time till the hackers get to your data.

Furthermore, the cybercriminals might have access to posted questions, answers, comments, and even upvotes. Fortunately, Quora does not store the identities of users who post content anonymously, which is why the data breach did not compromise anonymous questions and answers. Another thing the company stressed is that even though the hackers were able to obtain information like direct messages, only a small percent of the website's users have ever sent or received such messages. Therefore, the main concern is with the passwords and other personal information we mentioned in the previous paragraph.

What is being done to protect users

Quora's message claims the company is determined to make sure this never happens again and is doing everything they can to learn how the cybercriminals were able to breach their servers, including consulting with outside specialists. Besides, while the investigation continues, the website's team is sending emails to the owners of compromised accounts to notify them on what has happened. To explain the situation even better, the team prepared FAQ for the questions related to data breach only; it can be found here. Moreover, all users that might have been affected by the data breach are being logged out. What is important to know is that if you were logged out and if you use your password as your authentication method, Quora will invalidate the passcode as a safety precaution. Afterward, the user will be asked to reset the password.

How to reset your Quora.com password

Note that if your account was compromised, the first time you will try to log into Quora after the breach, the site should show a notification claiming you need to reset the password. In such case, all you need to do is enter your email address and click the Reset Password button. Next, you should see a message saying the instructions on how to complete this process were sent to your email. Go to your email and follow the instructions received from Quora.

1. Go to Quora.com.
2. Log in and go to "Account's Settings".
3. Click on "Change Password".
4. Enter your old password and press "Done".
5. Create a new password and submit it into the provided fields.
6. Press "Change Password" to confirm.
7. If you cannot log in, type your email address and choose the "Forgot Password?" option from the login window.
8. The instructions on how to reset Quora.com password should be sent to your email.
9. Follow the link sent via email and type your new password in the given boxes.
10. Click "Reset Password" to confirm.

Needless to say, the new password has to be strong if you do not want your account to be at risk. Probably, the easiest way to create a passcode that hackers could not guess or easily brute-force, is to generate it automatically. For this task, you could employ Cyclonis Password Manager. It has an easy-to-use password generator that can create complex combinations of chosen length and characters. What's more, it helps you set up an encrypted vault on your device or cloud drive to keep your passwords safe, and it can also log you in automatically to your favorite sites, which means that you do not have to remember your complex login passwords.

How to protect your Quora.com account

Users are advised to reset their Quora.com passwords as even though the process of deciphering such information might be complicated, the hackers might still succeed at it. Another thing you should not forget is that if you are using the same password somewhere else, for example, for your Facebook account, it would be wise to replace it too. As you see, even if hackers will not be able to log into your Quora profile, they might try their luck with your email and password on other popular websites. Consequently, cybercriminals might be able to access and hack accounts that were created while using the same email address and passcode. Thus, it is no wonder that using the same combination everywhere is said to be one of the worst password practices.

When data breaches occur, the best defense against attackers is to react fast. Luckily, Quora did not wait too long to let their users know what had happened and even took the necessary steps to make sure the compromised passwords are replaced. Hopefully, the incident will not reoccur in the future and will become an example of how important it is to take care of cybersecurity, especially when you have sensitive users' data to look after. There were a lot of data breaches this year and if there is anything we learned from them, it is that any company can be targeted.