Quora, a question-and-answer website, has reported a data breach affecting about 100 million users.
In a blog post, Chief Executive Adam D’Angelo said user account information such as user names, email addresses, encrypted passwords and data imported from linked networks “may have been compromised.”
Users’ histories — including public questions and answers, as well as comments and votes, along with nonpublic actions such as answer requests and direct messages — also might have been compromised.
“We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future,” D’Angelo wrote Monday night. “It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility.”
A privately held company founded in 2009 and based in Mountain View, Calif., Quora says its mission “is to share and grow the world’s knowledge.” Users can pose questions on the site about a variety of issues, and other users can answer them. In September, Quora reported it had surpassed 300 million unique visitors a month.
The data breach “is nothing like” the massive one announced Friday by Marriott International Inc. but it still raises concerns, said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest group.
The Marriott breach lasted four years and compromised the information of as many as 500 million of its hotel guests worldwide. For about 327 million, the stolen data may have included important personal information such as birth dates and passport numbers. Dixon said that type of data made the breach much more significant than Quora’s, which did not include such information.
“The main issue here is going to be phishing,” Dixon said of Quora’s breach. Phishing emails seek to trick a person into clicking on a link that allows the scammer to get personal information or puts malware programs on the person’s computer.
The phishing potential could be significant if data that Quora imported from other networks included things like contact lists or full Facebook profiles. Quora did not specify the type of information involved.
“This is just a really great reminder for everyone that if you’re going to chat on social media or any other websites, it’s a great idea to have a throwaway email not connected to your work and not your primary personal email,” Dixon said. “It just makes all the sense in the world to not make it your favorite email. If it’s hacked, you delete it.”
Quora discovered Friday that a “malicious third party” had gained unauthorized access to one of its systems. “We’re very sorry for any concern or inconvenience this may cause,” D’Angelo said.
The company is still investigating the incident and has “retained a leading digital forensics and security firm to assist us,” he said.
Quora is notifying users whose data have been compromised, logging them out of the site and invalidating their passwords.
“While the passwords were encrypted … it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so,” D’Angelo said.