Quora Site Hacked; Names, Emails and Passwords Stolen

Question site "Quora" has become the latest high-profile hacking victim, with details of more than 100 million users breached. Fortunately, the implications likely won't be as serious as some previous hacks.

The site lets users post questions and then get answers from other users. A voting system means more helpful answers from its community means the best answers float to the top.

Quora says its systems were accessed without authorization and that it discovered the breach on November 30, 2018. It says the exposed information included account information such as name, email address and password, along with any data imported from other services.

Anonymity Preserved

The breach also included any content the user had posted publicly, along with some details that wouldn't normally be public such as when they "down voted" an answer from another user or sent a direct message. Quora says the breach won't reveal the identity of people who posted anonymously as it doesn't store that information on its system. (Source: quora.com)

The good news is that despite the number of people affected, the impact should be minimal. That's because the most sensitive part of the data - user passwords - was stored in an encrypted form using something called "hashing and salting". (Source: bbc.co.uk)

Hashing involves turning a piece of data such as a password into a string of code, known as a hash. It's a one-way process, meaning the people who stole the data can't simply turn the hash back into the password. Instead, they need to try hashing possible passwords for each user in order to find a hash that matches the one in the stolen database, and thus deducing the password. Another term for this is called one-way encryption.

Salting means adding some random characters in the process. That means that even if two users had the same password, they wouldn't have the same hash in the records. In turn, that means that even if the hackers figured out one person's password, they can't simply look for anyone else with the same hash.

Spam Likely to Increase

The set-up means there's two likely risks from the breach, one more likely and one more serious. The more likely one is that hackers will sell the list of email addresses (which weren't encrypted) to spammers.

The much more serious one is that hackers may be able to figure out people's passwords, and then try them on other sites and services in the hope of getting access to more sensitive data than can be found in Quora accounts. As always, it's a reminder that it's safer to avoid using the same password for multiple sites, particularly ones with financial or personal details.

What's Your Opinion?

Do you use Quora? Are you reassured by the way it stored the data? Do you reuse passwords on different websites?