BREACHES R US —

Hackers breach Quora.com and steal password data for 100 million users

Other stolen personal data includes names, email addresses, and direct messages.

The word

Brace yourself for yet another massive data breach. Quora.com, a site where people ask and answer questions on a range of topics, said hackers breached its computer network and accessed a variety of potentially sensitive personal data for about 100 million users.

Compromised information includes cryptographically protected passwords, full names, email addresses, data imported from linked networks, and a variety of non-public content and actions, including direct messages, answer requests, and downvotes. The breached data also included public content and actions, such as questions, answers, comments, and upvotes. In a post published late Monday afternoon, Quora officials said they discovered the unauthorized access on Friday. They have since hired a digital forensics and security firm to investigate and have also reported the breach to law enforcement officials.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility,” Quora CEO Adam D’Angelo wrote in Monday’s post. “We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again.”

The service has logged out all affected users, and in the event they use passwords to authenticate, old passwords have been invalidated. Users who chose the same password to protect accounts on a different service should immediately reset those passwords as well. Quora has already begun emailing affected users.

“We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing, and we’ll continue to make security improvements,” Monday’s post stated. “We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.”

The hackers were unable to access questions and answers that were written anonymously, because Quora doesn’t store the identities of people who post anonymous content. The decision not to tie anonymous content to the identities of the people posting it is a smart one that will protect the identities of many people who discussed sensitive personal matters. But it will do less to shield people who, despite a Quora policy to the contrary, may have used a pseudonym as their account name or who discussed sensitive matters in direct messages.

It’s all about the hash function

A less useful decision by Quora: the company's breach notification didn’t elaborate on the format of the stolen password data except to say that it was “encrypted” and used a cryptographic salt that varies for each user. That means the passwords were appended with a unique string of text and then passed through a one-way hash function. The specific hash function matters greatly. If it's one that uses fewer than 10,000 iterations of a fast algorithm such as MD5, hackers using off-the-shelf hardware and publicly available word lists can crack as many as 80 percent of the password hashes in a day or two. A function such as bcrypt, by contrast, can prevent a large percentage of hashes from ever being converted into plaintext.

In a tweet posted on Tuesday, almost 24 hours after the notification went live, Quora said the function was bcrypt. That means it will be prohibitively expensive and time consuming for the vast majority of the hashes to be deciphered.

Quora’s post is only the latest disclosure of a major breach. On Friday, hotel chain Marriott International said a system breach allowed hackers to steal passport numbers, credit card data, and other details for 500 million customers. In September, Facebook reported an attack on its network that allowed hackers to steal personal details for as many as 50 million users. The social network later lowered the number of accounts affected to about 30 million.

Readers are, once again, reminded to use a long and complex password that’s unique to each site, ideally by using a password manager. Whenever multi-factor authentication is available, people should also use that protection as well.

This post was updated on Tuesday afternoon to make clear that the initial breach notification said hashed passwords were salted and to add Quora's later update that the hash function used was bcrypt.

Channel Ars Technica