Quora security breach reveals users and their contacts data
100 million users of Quora and their friend’s data has been exposed as a result of unauthorized access to Quora systems by a malicious third party. Quora is a crowd sourced knowledge sharing site and are now taking steps to address the Quora security breach.
Quora are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, are invalidating their passwords. This is probably an unnecessary step as passwords were encrypted (hashed with a salt that varies for each user) but Quora are taking no additional risks. They remind users that it is generally a best practice not to reuse the same password across multiple services, and Quora recommend that people change their passwords if they are doing so.
The breach was discovered on Friday and Quora discovered that some user data was compromised by a third party who gained unauthorized access to their systems. They are still investigating the precise causes and in addition to the work being conducted by internal security teams, Quora have retained a leading digital forensics and security firm to assist us. They have also notified law enforcement officials.
While the investigation is still ongoing, Quora has already taken steps to contain the incident, and their efforts to protect our users and prevent this type of incident from happening in the future are now their top priority.
What information was involved in the Quora security breach
If you are registered on Quora or have a friend who is, the following information may have been compromised:
- Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
- Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
- Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
- Non-public actions, e.g. answer requests, downvotes, thanks
- Non-public content, e.g. direct messages, suggested edits
Questions and answers that were written anonymously are not affected by this breach as Quora do not store the identities of people who post anonymous content.
What’s particularly infuriating is that friends of Quora users may also have had some of their personal information exposed in this breach. It’s as a result of the increasing trend for social sites to get users to share their address books and other social site connections and means that you not only need to keep your own data safe and be able to trust the sites you use, you also need to vet your friends and the sites they use if you want to be certain you’re not about to be added to multiple spam lists and potentially be inundated with fraudulent emails or fake friend requests from someone masquerading as your real friend.
are these social-shared contact books GDPR compatible?
never been much of a fan of them, but under the new system, as i understand it, they should be completely forbidden.
the website (in this case Quora) has received permission from user A to access thier contact book, that’s probably fine if used narrowly.
user A’s contact book, however, is not a list of User A’s data, it is essentially User A’s mailing list, which actually contains the personal data of Non-Users B, C, D, E and so on.
unless User A has explicitly received consent from everyone in their contact book to sell that information (even free of charge) to third parties, then User A has no right to give it to Quora, and Quora has no right to store that info after using it for their specific, narrow purpose.
am i wrong?