Quora.com hacked. Hackers steal 100 million users worth of data

Hackers have compromised 100 million of Quora users.

More specifically, password data.

Along with that, hackers also managed to steal personal data belonging to users of the popular question answer site which included direct messages, email addresses, and names.

It is safe to say that Quora users should probably brace themselves again for (you guessed it) another huge and devastating data breach.

As many of our readers would already know, Quora.com is a wildly popular website where people can just come in and ask questions on whatever topic they feel like asking.

Other users of the site are free to answer any question that they like.

The questions can come from a range of different topics.

After the attack, Quora.com stated that hackers had found a way to breach the site’s computer network.

Then they accessed a large variety of personal and potentially sensitive data for around 100 million Quora users.

Moreover, the information that hackers compromised included,

  • A vast variety of non-public actions and content which included
    • Downvotes
    • Answer requests
    • Direct messages
  • Email addresses
  • Full names
  • Passwords that had cryptographic protection.
  • All the data that users had imported from their linked networks

Not only that, but hackers also managed to compromise public actions and content via their data breach attack.

This included things such as,

  • Upvotes
  • Comments
  • Answers
  • Questions

Quora.com published an official report about the incident on Monday and in the post said that the company had managed to discover hackers having unauthorized access to its data on Friday.

Since then, the company said, officials had dried various security firms and digital forensics in order to investigate the situation.

Not only that, Quora.com post said that officials had also reported the incident (the actual data breach) to various law enforcement agencies.

The CEO of Quora, Adam D’Angelo, said via the official Monday post that it was Quora’s responsibility to make absolutely sure that things such as this data breach did not happen and, in that respect, Quora had failed to appropriately meet that responsibility.

Furthermore, he said, the company had recognized that in order for it to actually maintain its hard-earned user trust, it needs to work extremely hard to ensure that data breaches such as the one that was discovered on Friday did not happen in the future.

For what it is worth, Quora (the service) has actually already started the recovery work.

It has logged out each and every affected Quora user.

Moreover, for cases where Quora users have used passwords in other to authenticate their accounts, the service has invalidated all old passwords.


This means that Quora users who made use of the same password in order to provide protection to more than one account on different online services should probably and immediately change or reset those similar passwords.

Apart from that, Quora has also put its team to work by instructing them to email all the affected users.

The official Monday Quora post also stated that the company believed that it had managed to identify the root cause of the hack and had already started to take steps which would address such issues in the future with greater effectiveness.

Quora also mentioned that although the company’s investigation was still ongoing, it would continue to put in the work to improve its security measures.

Along with that, the company mentioned that its staff would continue to heavily work with both external and internal experts in order to gain a comprehensive and complete understanding of what actually happened.

Moving from that, the company said, it would take all the necessary actions as they become necessary.

For some, it might come as a relief that hackers did not manage to have access to answers and questions that Quora users had written anonymously.

That is because, Quora has a policy of not storing the online identities of all the people who post content on its site anonymously.

Needless to say, the decision by Quora to not try and tie anonymously written content to the actual identities of its Quora users who are posting the content is more or less a smart one.

It would definitely help the company protect the online identities of all those people who had made the decision of discussing something sensitive and/or personal stuff on the site.

However, such a decision would do less to protect Quora users who may have made use of a pseudonym as their official Quora account or made the decision to discuss sensitive matters via the Quora direct messages feature.

Readers should know however that both actions are contrary to the official Quora policy.

The hash function and everything that comes with it

With everything said and written till now, Quora has made one decision which is far less useful than all the others:

The company has officially decided to not elaborate anything regarding the format of the password data that hackers managed to steal.

Quora has only mentioned that hackers made off with encrypted passwords.


Our research shows that when companies say that, they usually mean that they went through the process of passing all their passwords through a strong one-way hash function.

Now, the thing about the hash functions is that, not all of them are created equal.

Therefore, it is immensely important for sites like Quora to specifically mentioned which hash function they used.

The kind of hash function that a service uses determines how secure the encryption would be.

If a given service has used a hash function that utilizes fewer than ten thousand complete iterations of a reputable fast algorithm like the one we call MD5 without the use of any cryptographic salt, then that is a big problem.

Why is it a big problem?

It is a big problem because if it is the case then hackers who have the sense to make use of publicly available word lists and off-the-shelf hardware can, and do, crack as much as 80 percent of all the present password hashes in a matter of 24 to 48 hours.

However, there is also a function that goes by the name of bcrypt.

This function, by contrast, has the ability to prevent a great percentage of those hashes from ever getting through the conversion process and becoming a plaintext file.

Readers should also know that the official Quora post is actually one of the many latest disclosures of various different data breaches around the world.

This past Friday, Marriott International (a reputable hotel chain) said that hackers had managed to breach its systems as well.

And in the process of doing so, hackers stole,

  • Password numbers
  • Personal details
  • Credit card data

on a total of 500 million customers.

Before that, back in September, the social media giant Facebook officially reported that hackers had launched an attack on the company’s network which allowed them to get away with the personal details of a total of 50 million users.

Facebook later revised that number and lowered the number of affected accounts to around 30 million.

This is where we have to remind our readers to make use of complex and long passwords.

And use one password for one site.

Don’t reuse passwords, in other words.

In an ideal situation, the user should make use of a password manager to achieve all of this.

Moreover, whenever a service offers multi-factor authentication, users should not hesitate to take advantage of it and enhance their online protection.


Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.