Quora said today that a security breach may have compromised data from about 100 million users. In an email sent to users today and a blog post by CEO Adam D’Angelo, the company said a “malicious third party” gained unauthorized access to Quora’s systems on Friday. Its internal security teams and a “leading digital forensics and security firm” are currently investigating the breach. Law enforcement officials have also been notified.
The company believes it has identified the root cause of the breach and “taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements.” Quora also added that anonymous questions and answers were not affected by the breach because it does not store the identities of people who make anonymous postings.
The company is currently notifying users whose data was compromised and logging out all Quora users who may have been affected as a security precaution. It is also invalidating their passwords if they used one. Quora published an FAQ about the breach here.
According to Quora, the user data that may have been accessed includes:
- Account and user information, e.g., name, email, IP, user ID, encrypted password, user account settings, personalization data
- Public actions and content including drafts, e.g., questions, answers, comments, blog posts, upvotes
- Data imported from linked networks when authorized by you, e.g., contacts, demographic information, interests, access tokens (now invalidated)
- Non-public actions, e.g., answer requests, downvotes, thanks
- Non-public content, e.g., direct messages, suggested edits
In another article on its help center, Quora said: “it is confident that no partner’s financial information has been compromised.” Some access tokens associated with Stripe, the payment processing service used by the company, were “temporarily compromised,” but Quora confirmed with Stripe that no access tokens have been used since the incident and no financial information was breached.
All users with Stripe accounts have also had their access tokens reset. “We are confident that no personal financial information that was accessible through Stripe has been compromised. Furthermore, no personal financial information is currently vulnerable,” Quora said.