The online question-and-answer website Quora suffered a malicious data breach that may have affected up to 100 million accounts, the site's CEO, Adam D'Angelo, said in an official company blog posting late Monday (Dec. 3).
"For approximately 100 million Quora users, the following information may have been compromised," D'Angelo wrote. "Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users; Public content and actions, e.g. questions, answers, comments, upvotes; Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)."
The website will be notifying all affected users by email, and resetting their passwords. Anyone who had reused a password elsewhere is advised to create a new password for that account too. Users who logged into Quora using Google or Facebook login mechanisms should not be affected.
MORE: What to Do After a Data Breach
Quora has posted an extensive FAQ explaining details of the data breach, but the FAQ doesn't mentioned how user passwords were hashed, i.e. run through a one-way encryption algorithm. This matters because hashing algorithms vary greatly in strength. Passwords hashed with some older algorithms can be "cracked," or reversed, in milliseconds using standard desktop computers, while passwords using new algorithms might take thousands of years to crack.
D'Angelo's blog posting does mention that the hashes were "salted," meaning that a small extra bit of unique information was added to each password before it was hashed. That in theory will make the hashes more difficult to crack.
"Not all Quora users are affected, and some were impacted more than others," the FAQ states. "It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or Social Security numbers."
Best Identity Protection Services
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.