Quora Data Breach Exposes 100 Million Users' Personal Info (cbsnews.com)

← Back to Stories (view on slashdot.org)

Quora Data Breach Exposes 100 Million Users' Personal Info (cbsnews.com)

Posted by BeauHD on Tuesday December 4, 2018 @10:40AM from the here-we-go-again dept.

schwit1 shares a report from CBS News: Information sharing website Quora has announced a data breach which has exposed "approximately 100 million users'" personal data. The company said in a statement released Monday that it discovered the "unauthorized access to one of our systems by a malicious third party," on Friday. Chief Executive Adam D'Angelo wrote in the blog post that Quora had alerted law enforcement authorities and was "working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future." D'Angelo said Quora was working to alert the affected users of the site, whose names, email addresses and encrypted passwords, and public content such as their questions, answers and comments, were exposed through the breach. Those users would be required to reset their passwords, D'Angelo said.

22 of 40 comments (clear)

Min score:

Reason:

Sort:

The site annoyingly makes you create an account by ZorinLynx · 2018-12-04 10:47 · Score: 4, Insightful

Even if you're not going to contribute anything, you're forced to create an account to keep browsing. I wonder how many of those 100 million accounts are throwaways used to browse the site. I know mine is!
Websites shouldn't force read-only users to create accounts. Not only is it annoying, but it wastes resources on your servers and now you have more accounts to potentially get hacked.
1. Re:The site annoyingly makes you create an account by mattyj · 2018-12-04 10:55 · Score: 1
  
  Except that they collect browsing habits/history that are attached to an email address, which is a saleable commodity.
  Probably cuts down on robots indexing their data and selling it or doing whatever with it, too.
  Annoying, I agree, but the evil empire has its reasons.
2. Re:The site annoyingly makes you create an account by 140Mandak262Jamuna · 2018-12-04 12:50 · Score: 1
  
  Why create a throwaway login? Copy paste the text into google searcgh box and you click on the google link.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
3. Re:The site annoyingly makes you create an account by freeze128 · 2018-12-04 15:34 · Score: 1
  
  Perfect use-case for SQRL.
4. Re:The site annoyingly makes you create an account by ayesnymous · 2018-12-08 06:23 · Score: 1
  
  I think Quora was created by a former Facebook employee. It's not worth creating an account. It's just another Yahoo Answers with hardly any useful content.
5. Re:The site annoyingly makes you create an account by dkman · 2018-12-11 02:20 · Score: 1
  
  Thank you for answering my question, "What is Quora and why would they have my information?"
  
  --
  I refuse to sign
Encrypted passwords? by viperidaenz · 2018-12-04 10:48 · Score: 1

I hope not. That implies they're not one-way hashed and if they've stolen the encryption key too, they can obtain the actual password.
That would be an amature security mistake on Quora's part.
1. Re:Encrypted passwords? by mattyj · 2018-12-04 10:53 · Score: 1
  
  I'd posit that a mistake that's already exposed that much data, undetected until now, is an amateur security mistake. If they get the data and the key, that's more like infantile.
2. Re:Encrypted passwords? by Dunbal · 2018-12-04 11:09 · Score: 1
  
  That implies they're not one-way hashed
  _strrev() is an awesome password "hashing" function!
  
  --
  Seven puppies were harmed during the making of this post.
3. Re:Encrypted passwords? by Dilly+Dilly! · 2018-12-04 11:17 · Score: 1
  
  It's possible that the term "encrypted" is being used loosely to encompass the process of salting and hashing passwords.
  For users, the problem is that it's hard to know whether any particular site is using good security practices to keep data secure. I use is a password manager (mSecure) that runs locally on my phone, and generate unique random passwords for each site. That way, a breach like this wouldn't allow my data to be compromised on other sites, where I might have reused the password. I don't upload the data from mSecure anywhere, though I keep backups on SD cards. The data and backups are stored with 256-bit Blowfish encryption and a unique passphrase. I know, there's a single point of failure, where all my passwords are stored in one place and protected by a single passphrase, and phones aren't particularly secure. But if I moved the password manager to a laptop or desktop computer, I wouldn't as readily have access to my passwords when I need them. It's relatively convenient, simple to use, and it seems better than many of the alternatives.
  Unfortunately, there's no way for a user to know which sites are secure. It seems like everything should be treated as highly vulnerable, and users should protect themselves accordingly.
4. Re:Encrypted passwords? by gander666 · 2018-12-04 13:03 · Score: 1
  
  Well, seeing how reliable their service is (not very), this wouldn't surprise me.
  
  --
  Suppose you were an idiot and suppose you were a member of Congress ... but I repeat myself. - Mark T
Another data breach by BringsApples · 2018-12-04 10:51 · Score: 4, Insightful

So many data breaches lately, makes me wonder if eventually everyone's data will be worthless. And then what??? Most of the propellant of today's society has to do with gathering personal data. If personal data turns out to be worthless, we're talking a shit-storm of problems for a society that's built around it.

--
Politics; n. : A religion whereby man is god.
1. Re:Another data breach by Dixie_Flatline · 2018-12-04 11:21 · Score: 1
  
  I personally *try* to make sure my data is worthless. I mean, they know I like math and science questions, but that's hardly news. I lie about nearly everything personal they ask me; I just make sure my age is over 18. I use a shitty password because I couldn't care less if they crack it and use it to log onto some other shitty site where I have a forum account or something. Personal questions? I tell them that I grew up on Dingleberry street, and my first pet was named "flame retardant banana". (Note: I made those answers up on the spot. See how easy it is?)
  The trick is to know what information is worth caring about. Lie as much as possible on the internet. Nobody needs to know your real birthday except your Mom and the government.
2. Re:Another data breach by grep+-v+'.*'+* · 2018-12-04 11:30 · Score: 1
  
  If personal data turns out to be worthless, we're talking a shit-storm of problems for a society that's built around it.
  TULIPS! Get your freshly harvested tulip bulbs here! Tulips! Only one per house, that's the price!
  
  Link (How Much: at the peak of the market, a person could trade a single tulip for an entire estate, and, at the bottom, one tulip was the price of a common onion.)
  
  --
  If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
3. Re:Another data breach by Anonymous Coward · 2018-12-04 11:47 · Score: 1
  
  The data breaches are the largely the flip-side of hiring cheap developers. What goes around comes around etc.
Re:/. Bug Alert by Dunbal · 2018-12-04 11:08 · Score: 1

This is by design, not a bug.

--
Seven puppies were harmed during the making of this post.
Well... by The+Grim+Reefer · 2018-12-04 11:47 · Score: 5, Funny

Information sharing website Quora has announced a data breach
TFS says it's an information sharing site.
I am sure there is a Quora article on ... by 140Mandak262Jamuna · 2018-12-04 12:51 · Score: 1

... How to guard against hackers.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It wasn’t really a breach. by Hallux-F-Sinister · 2018-12-04 14:19 · Score: 2

Someone just went on Quora, and asked the community, “what would it be like if a file containing all of Quora’s user data were on my computer?” and one of the moderators answered.

--
Our reign has gone on long enough. Indeed. Summon the meteors.
Re:/. Bug Alert by hcs_$reboot · 2018-12-04 15:25 · Score: 1

Been here long enough... I posted my parent account with my nickname AFTER the bug appeared!
1. Moderated +1
2. Commented as AC
3. At that time, the mod point disappeared and couldn't mod the story anymore
4. Then posted with my nickname to describe the bug!
Guys you're so condescending!

--
Slashdot, fix the reply notifications... You won't get away with it...
Re:What? by ElizabethGreene · 2018-12-04 17:52 · Score: 1

It's an order of magnitude better than Yahoo Answers. You still have the occasional buffoon, but the signal to noise ratio is excellent.
quora.com: roll the dice and see what comes up by BlackOverflow · 2018-12-05 00:31 · Score: 1

When I want highly questionable answers from completely unknown sources, quora.com is my go-to place!