Quora, a question-and-answer website founded eight years ago, says it suffered a security breach that compromised the data of as many as 100 million users.
The site, which lets its 300 million members and anonymous users ask and answer questions of each other, discovered Friday that “a malicious third party” gained “unauthorized access to one of our systems,” Quora CEO and co-founder Adam D’Angelo said in a post on Quora.com.
The Mountain View, California-headquartered company contacted law enforcement and retained “a leading digital forensics and security team” to assist its internal investigation, he said.
Quora is contacting the 100 million users whose data may have been compromised and reset some users’ passwords. The data potentially accessed includes names, email addresses and encrypted passwords, along with questions and answers posted.
“It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or social security numbers,” Quora said in a security update on its site.
While most of the content on Quora was public, “the compromise of account and other private information is serious,” D’Angelo said.
We have discovered that some user data was compromised by unauthorized access to our systems. We’ve taken steps to ensure that the situation is contained and are notifying affected users. Protecting your information is our top priority. Read more here: https://t.co/uwbdMjoM1v
— Quora (@Quora) December 3, 2018
User passwords were encrypted, but D’Angelo recommended users who reuse passwords on multiple sites to change their passwords.
The Quora breach comes just days after a massive breach reported by hotel operator Marriott in which as many as 500 million customers at its Starwood hotels may have had data including credit cards and passport numbers compromised.
About one-third of those online use the same three passwords, said Gary Davis, the chief consumer security evangelist at anti-virus software maker McAfee, in the wake of the Marriott breach.
“The scary reality is that even if hackers do not obtain payment information from a data breach, the customer is still at risk if they have used the same password to protect financial accounts, as hackers would be able to leverage this data to access financials,” he said. “Therefore, we recommend proactively placing fraud alerts on credit files to ensure that any new or recent requests undergo scrutiny. This will protect consumers against the potential damage.”
Many users had forgotten they had signed up for Quora over the years and were surprised to get an email Monday about the breach. “Nothing like a data breach to remind me that I have a Quora account,” one user posted on Twitter.
Nothing like a data breach to remind me that I have a Quora account
— Aaron Patterson (@tenderlove) December 4, 2018
Another user noted that the breach came soon after Quora began increasing the level of advertising on the platform “and here we are!”
D’Angelo said Quora believes it has “identified the root cause and taken steps to address the issue, although our investigation is ongoing.”
He pledged the site would continue to make security improvements. “It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility,” he said. “We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again.”
Follow USA TODAY reporter Mike Snider on Twitter: @MikeSnider.