We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party. We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing. We have notified law enforcement officials. We are notifying affected Quora users. We have already taken steps to ensure the situation is contained, and we are working to prevent this type of event from happening in the future. Protecting our users’ information and fostering an environment built on trust remains our top priority so that together we can continue to share and grow the world’s knowledge.
What kind of user data was affected?
Based on what we have learned, some of our users’ information has been exposed, including:
- Account information, e.g. name, email address, encrypted password (hashed with a salt that varies for each user), data imported from linked networks when authorized by users
- Public content and actions (e.g. questions, answers, comments, upvotes)
- Non-public content and actions (e.g. answer requests, downvotes, direct messages)
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
How do I know if I was affected? How are you notifying users?
In the interest of transparency, we are notifying impacted Quora users of the incident via email, and will provide relevant updates as they are available.
When did you first learn of the issue? How was it brought to your attention?
We first learned of the issue on November 30. Upon learning about the issue, we immediately launched a comprehensive investigation and remediation effort.
How many Quora users are affected?
Not all Quora users are affected, and some were impacted more than others. We are notifying those affected of the incident, and will provide updates as they are available.
Impact on users
If my data was compromised, what are the risks to me? Could my identity be stolen?
It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or social security numbers.
Is content posted anonymously still secure?
Yes. Anonymous content cannot be connected to user accounts, so content posted anonymously is still secure.
How do I delete my account and all data you have on me?
To delete your account and all data Quora has about you, see here: How do I delete my Quora account?
Note that deleting your account does not affect whether your information has been compromised by this breach.
How can I get a copy of all my data from Quora?
We will send you an archive of your content and personal data to your account’s primary email address on request. If you would like to request a copy of your data, you may do so by submitting a request via email to firstname.lastname@example.org. Please note that you will receive the archive within 72 hours of our team confirming that we have received your data request.
How do I reset my password?
If we invalidated your password, you will be prompted to reset your password the next time you try to log into Quora with a password. If you are not prompted to do so, you can change your password by visiting your account settings at https://www.quora.com/settings. Click "Change Password" and enter your current password in the pop-up message. You can then enter your new password and click "Change Password" to save it for the next time you log in.
For more information, see How do I change or reset my password on Quora?
Should I also reset passwords for other connected accounts?
It is generally a best practice to not reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.
I didn’t know I had a Quora account. How is it that my email or information was exposed?
You may have signed up for Quora some time ago. While you might not have regularly visited or used Quora, your account remained, and this breach may have exposed some of your information, such as the email address you signed up with, the password you used, or actions you took on Quora.
Why am I getting fake emails or social media messages saying that someone has access to my compromised account or information?
Following a cyberattack of this nature, it is common that fraudsters will try to exploit brands like Quora in an effort to obtain personal information. They attempt this fraudulent activity through phishing emails, texts, phone calls and fake websites. You can report phishing incidents on the F.B.I.’s Internet Crime Complaint Center.
Here are some best practice recommendations:
- Change your password immediately. If you've use the same password across multiple sites, create a unique password for each site.
- Use a different username and password combination on every site you visit.
- Verify your account details such as email address and make sure no unauthorized changes have been made to the account.
What Quora is doing about it
What steps are you taking to contain the issue and make sure this doesn’t happen again?
Upon learning about the issue, we immediately launched a comprehensive investigation. We have retained leading digital forensics and security firms to assist us and have notified law enforcement officials. While the investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to prevent this type of event from happening in the future are ongoing and a top priority.
Have you alerted law enforcement?
Yes, we have alerted law enforcement, in addition to retaining a leading digital forensics and security firm to assist us in the investigation and next steps.
Does Quora know who is responsible?
No, but we have alerted law enforcement in an effort to identify the attacker.