On Friday i.e. 30th November, 2018, Quora, the popular platform to ask questions and connect with people who contribute unique insights and quality answers has suffered with a sensitive data breach regarding its users. As per their “SECURITY UPDATE” mail, a third party had gained access to the following data of users in an unauthorized way and was discovered !
- Account & User Information including name, email, IP, userID, one-way hashed password, user account settings, personalization data
- Public Actions and content including drafts
- Data imported from linked networks eg. contacts, demographic information, interests, access tokens
- Non-public actions like answer requests, downvotes, thanks
Though from the post, the Q&A that were written anonymously are not affected as Quora does not store the identities of people who post anonymous content.
We as avid users of Quora would like to ask Why are all the eggs in one single basket? As in why are access tokens and passwords residing in one single table of a database?
Access tokens are the auth tokens that Quora obtains from the 3rd party domain used to sign-in/ link with the Quora website/app on behalf of the user when one authorizes it. Which means, its just not Quora, but also the corresponding data from the connected accounts like Google and Facebook of the affected users have been leaked/ stolen !
The following actions are being currently taken by the Quora Security Team as per their mailer:
- Notifying all the users who are affected by this breach
- Logging out all the affected users from Quora platform(Remember they have flushed all the auth and session tokens to avoid further damage)
- Further investigations going on even though they know the root cause of the issue now
As a precautionary measure, requesting all the users of Quora to reset their passwords as well as start using password managers in order to avoid reuse of the same password on multiple platforms.