Quora data breach
The question-and-answer platform Quora disclosed that an unauthorized third party had accessed the data of approximately 100 million users, including names, email addresses, salted-and-hashed passwords, and imported contact and demographic data.
- Victim
- Quora
- records
- 100.0M
- users
- 100.0M
On 3 December 2018, the question-and-answer platform Quora disclosed that an unauthorized third party had gained access to its systems and compromised data belonging to approximately 100 million users. The breach, discovered three days earlier, was one of the larger consumer-data incidents of the year.
What happened
Quora detected the intrusion on 30 November 2018, when it discovered that "some user data was compromised by a third party who gained unauthorized access to one of our systems," in the words of CEO Adam D'Angelo. The company did not publicly detail the exact attack vector but characterized the access as malicious.
Upon discovery, Quora launched an investigation with the help of a leading digital-forensics firm, notified law enforcement, and began the process of notifying affected users. As a precaution, the company logged out all potentially affected users and invalidated passwords for accounts that used password authentication.
What was exposed
The compromised data fell into three categories:
- Account information β names, email addresses, passwords (hashed with a per-user salt), and data imported from linked networks where users had authorized it, such as contacts, demographic information, and interests.
- Public content and actions β questions, answers, comments, and upvotes already visible on the platform.
- Non-public content and actions β answer requests, downvotes, and direct messages (a feature used by a limited number of users).
Crucially, anonymously posted questions and answers were not affected, because Quora does not store the identities of users who post anonymous content. The company also noted it does not collect sensitive financial data such as credit-card or Social Security numbers, reducing the direct identity-theft risk.
Impact
- Approximately 100 million users had account data exposed.
- Because passwords were salted and hashed, the immediate credential-cracking risk was lower than in plaintext breaches β but reused passwords remained a concern, and Quora urged users to change credentials on any other site where they had reused them.
- Quora invalidated access tokens for linked third-party accounts (such as Google and Facebook logins) as a containment measure.
Why it matters
The Quora breach is a textbook example of proportionate breach response: rapid disclosure within days of discovery, mass session invalidation, transparent categorization of what data was and was not affected, and clear guidance on password reuse. Its salted-and-hashed password storage meaningfully limited downstream harm β a contrast to contemporary breaches that exposed plaintext or weakly hashed credentials. The incident reinforced that even platforms holding "non-sensitive" data (no payment or government identifiers) remain attractive targets, since reused credentials and linked-account tokens carry value across the wider web.
Timeline
Quora discovers that data held by the company had been accessed by an unauthorized third party.
CEO Adam D'Angelo publicly discloses the breach, estimating roughly 100 million users affected.
Quora logs out all affected users, invalidates passwords where applicable, and revokes access tokens from linked networks.
Quora begins notifying affected users by email and retains a digital-forensics firm to investigate.
Sources
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2018/12/04/quora-data-breach/
- washingtonpost.comhttps://www.washingtonpost.com/business/2018/12/04/quora-discloses-data-breach-affecting-million-users/
- cbsnews.comhttps://www.cbsnews.com/news/quora-data-breach-exposes-100-million-users-personal-info-2018-12-04/
- npr.orghttps://www.npr.org/2018/12/04/673144745/100-million-quora-users-affected-by-malicious-data-breach