This is why I hate companies that force you to sign up to gain access to content. I do not <i>want</i> that relationship. Sooner or later those systems will be legacy and then maintaining them will be a pain. Bitrot will set in and sooner or later there will be a breach.<p>One new development is that you used to be able to get your invoices mailed via snail mail. Then that disappeared and you got your invoices mailed via email. Then <i>that</i> disappeared and now you have to create an account on some portal so that you can download your invoice. So that's one userid/password combo per business relationship or service that you use privately. Healthcare, HOA, insurance, payroll etc., every bloody two bit player requires you to log-in to their oh-so-secure service rather than that they send you your stuff. Which requires a ton of overhead and - sure enough - sooner or later they get hacked because by then the amount of data they hold on to is more valuable than their security could reasonably be expected to defend.
In 2013 a quora moderator contacted me and demanded that I provide my real name, and information that my name is real or they would ban my account. I tried reasoning with them, that I just wanted to view content and did not attend to write answers or interact etc, plus, they had a valid email address and facebook profile (also fake name on facebook). They fought back "we actually want proof of your real name like a scan of ID".
I danced around and did not end up giving them a scan of my id, but I changed it to my real name.<p>Today my information is probably leaked. Information I didn't want to give and that they threatened me for it.<p>Where is the apology Quora? From all the recent leaks this is the one that pisses me off the most, because it's the one that was forced unto me.
I really started hating Quora a while back, probably 3 years ago and stopped collaborating.
Most because "people" were spamming answers with marketing bs...
So many answers start with "I'm Bob, CEO of MyCompany.com, I am an expert in this and that"<p>Most Quora users are hungry for answers and flood-request you to answer their question just because the system recommends them to do so. No matter how many times you pass, the system still keeps notifying you that "you are needed". Quora doesn't understand a no is a no.<p>IMHO -> There truly isn't any benefit on providing good answers on Quora, other than stroking your ego, might as well become a micro-influencer on Instagram.<p>Even worse most questions seem truly 1-Google search away and the answers are low-effort.
Sure you do have some rare gems, and those are truly amazing to read. Alas, that's not often and spamming answers just for the sake of answering has become a reality.
Wow. If this had happened a couple years ago, before they made all the anonymous entries truly anonymous, this would have been <i>really</i> ugly.<p>It's a valuable lesson in "don't keep data you don't need".<p>EDIT: A little backstory for non-Quorans. Until early 2017, anonymous Quora answers and comments were anonymous to the public but not actually anonymous in the database (they were still "your" entries). In early 2017 they (presciently) made all this content fully anonymous, even in the database.
I feel that this is becoming a standard narrative. SV company comes up with an idea, decides harvesting lots of user data is how they will monetize. VCs pump in a lot of money and expect their returns, so company is now forced to collect even more data aggressively (the sign-in wall that many others have pointed out is an example of this). VC pressure causes company to "innovate" fast, most likely trading off security for new features in the meantime. As this progresses and they become more valuable, they are then targeted by hackers, which causes some type of compromise of users' data.<p>Quora is an intimate medium — tied to real names, real and often deep interests. It's especially bad that this happened.<p>There needs to be a better way to realign incentives in this ecosystem, otherwise this story will repeat.
At this point I am operating on the assumption that ALL businesses that have my data are going to inadvertently leak it at some point, and thus I am attemtping to provide individual companies with as little information about me as possible.<p>The toughest ones here are my online banking and my online health portal, but other than that, I have gotten pretty picky about what information I give any company.
<a href="https://blog.quora.com/Quora-Security-Update" rel="nofollow">https://blog.quora.com/Quora-Security-Update</a> seems to be misleading, especially the introduction. They start with 'some user data was compromised', however, it seems that for 'approximately 100 million Quora users' – that's basically all users! – all user data was compromised …<p>In addition, many questions remain open, for example: Which ' leading digital forensics and security firm' is working for Quora?<p>I hope for Quora that they met their 72-hour deadline according to the GDPR. Looking at <a href="https://www.quora.com/about/privacy" rel="nofollow">https://www.quora.com/about/privacy</a>, it does not look if Quora was / is GDPR-ready. They do not mention any legal basis for the processing (art. 13 GDPR) and they do not inform about their GDPR data representative in the EU (art. 27 GDPR).
I think at this point it should be standard practice to say <i>what</i> hashing algorithm is used in passwords when disclosing a breach.<p>The email I got from quota just says “encrypted” passwords, and while the blog post says “hashed”, it doesn’t say what algorithm. For all we know it could be something useless like MD5
So I'm not a security expert, so I ask this in real earnest to learn: what is it that these companies keep doing wrong, and/or why aren't they adjusting to the climate that these types of attacks are increasing over time?<p>Or are they trying to adjust, and the attacks are getting so sophisticated that the pace of investment in counter-measures is below that of the pace of advancement in the complexity of attacks?<p>Or something in the middle?
It's genuinely hard to imagine a second-rate question and answer site could have any credentials, or indeed any non-public content, that anyone else could be interested in. From the list of what's been taken, it sounds like it's mostly email and hashed passwords, though I suspect Quora's user base is not entirely populated by people committed to a strict one-off password policy.<p>Happily I get to once again bemoan the disappearance of JCSV, who was astounded that Quora was still a thing five years ago: <a href="http://jesuschristsiliconvalley-blog.tumblr.com/post/48962035819/quoraquoraquora" rel="nofollow">http://jesuschristsiliconvalley-blog.tumblr.com/post/4896203...</a>
The Quora link to more details is a masterpiece of corporate obfuscation. Posing as a FAQ, it presents questions, then proceeds to not answer them (at least, as of a few minutes ago).<p><a href="https://help.quora.com/hc/en-us/articles/360020212652" rel="nofollow">https://help.quora.com/hc/en-us/articles/360020212652</a><p>What happened? - not answered in any detail<p>What kind of user data was affected? - answered!<p>How do I know if I was affected? - not answered<p>How was it brought to your attention? - not answered<p>How many Quora users are affected? - not answered
Seems like a complete database exfiltration. Quora advertisers also had info compromised from a separate email notice:<p><pre><code> - Account information available on the Ads Manager account settings page.
- The email address provided for notifications about your ad campaigns.
- Campaign structure and setup, including information like budgets, schedule, bids, targeting, and ad information.
- Notifications that were in your Ads Manager, such as ad paused, logo approved, and ad ready.
- Audience setup information available on the Ads Manager audience page such as types and creation date.
- Partial credit card information, including name, expiration date, and the last four digits of the credit card.</code></pre>
No system is breach-proof; security breaches happen. We as engineers should strive to reduce the break-ins and diligently push for high standards nevertheless.<p>Having said that, this is pretty much a perfect response to the situation.<p>1. Quick turnaround from the breach to the announcement
2. Concise description of what happened
3. Owning the mistake
4. Update of their mitigation
5. Promise to follow up & actionable items.
6. Additional technical detail for more interested: <a href="https://help.quora.com/hc/en-us/articles/360020212652" rel="nofollow">https://help.quora.com/hc/en-us/articles/360020212652</a><p>It sucks that this happened, but for that alone I'd like to applaud Quora team. Yes, it would've been <i>great</i> if they didn't have to force me to sign up from the first place. It would've been great if this breach has never happened. But for the context, they're handling the issue as well as possible.
This is all bullshit. My data is all over the place. At this point I expect none of my personal data to be private. This last few weeks alone my data was stolen from British Airways, Cathay Pacific, SPG/Mariott, Quora.
As users we are completely powerless.<p>Time for change. Time for intelligent heads to come together and think of how a better internet security architecture needs to look like.
Exposed Data:<p>---<p>Based on what we have learned, some of our users’ information has been exposed, including:<p>- Account information (e.g. name, email address, encrypted password, data imported from linked networks when authorized by users)<p>- Public content and actions (e.g. questions, answers, comments, upvotes)<p>- Non-public content and actions (e.g. answer requests, downvotes, direct messages)<p>Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
I always found Quora's demand that I make an account merely to read, like Pinterest, extremely rude. I don't think I ever gave in and made an account but I suppose I can find out now.
Interesting (to me, at least) that the regular Quora update emails land in my inbox (or in the Social tab in Gmail, anyway), but the security breach notification was spam filtered...
I recently got an email from Quora, "you read XXX, did you find what you're looking for?"<p>I don't want every site that I visit sending me an email every time I click on a Google result.<p>I hit that SPAM button as fast as I could.
That's lame, but there is to always remember that information leaks are happening in almost every company out there. The way we build and run systems is no adequate, unless very large efforts (like in the case of Google) are made in order to try to limit the attack exposure, but this is not for everybody cost-wise IMHO. Makes more sense for companies to limit the amount of data they ingest. In this regard it's very bad that Quora or Linked-In force you to login just to see content. As a user, if you want to live under correct expectations, assume that your real name and profile picture, and possibly an hashed password, are always automatically leaked.
> ...there’s little hope of sharing and growing the world’s knowledge if those doing so ... cannot trust that their information will remain private.<p>Here's a crazy idea, circa 1990's: don't store their personal information! Allow people to browse Quora without using their real names. I'm very happy I deleted my Quora account when I did.
My take on Quora and business like them:<p>They are hiring people based on leet code questions and school prestige and not based on real technical knowledge about systems. Their business people are top school MBA grads with no security domain expertise. They then proceed to build massive data collection programs using open source tooling that non of them fully understand. Their business model depends on that data and monetizing it in various ways. An so the complexity of their application goes through the roof with regards to user data. Their user facing web apps are the tip of the iceberg for a massive surveillance scheme.
One thing I would like to do is have various US Senators send letters to the major corporations, and perhaps even large open source groups (like npm), and ask them, proactively, what they are doing to secure citizens around the world's data.<p>There is something called the Cybersecurity Bipartisan Caucus in the US Senate.<p>I have found calling these senators (which I have never done before for any politician about anything) extraordinarily helpful and gratifying. I have even explained that I don't live in their state, and yet they still listen and clearly need the advice from good security/sysadmin people (like asking them why Facebook still doesn't have a CSP Security Header).<p>It was only 6 days ago that the "International Committee on Privacy", made up of Senators from countries around the globe, met in London to question Richard Allan, VP of Privacy at Facebook. Mark Zuckerberg rejected the request for his attendance.<p>[1] <a href="https://www.warner.senate.gov/public/index.cfm/cybersecurity" rel="nofollow">https://www.warner.senate.gov/public/index.cfm/cybersecurity</a><p>[2] <a href="https://www.parliament.uk/business/committees/committees-a-z/commons-select/digital-culture-media-and-sport-committee/news/grand-committee-evidence-17-19/" rel="nofollow">https://www.parliament.uk/business/committees/committees-a-z...</a><p>[3] <a href="https://www.youtube.com/watch?v=1P97ubLDbJI" rel="nofollow">https://www.youtube.com/watch?v=1P97ubLDbJI</a>
It's strange that:<p>- the linked article says the breach included hashed passwords, but makes no mention of salt<p>- the help page says they're forcing affected users to change their passwords<p>If the passwords were salted before being hashed and stored, then:<p>- Why not mention it, so users (especially those who don't use unique passwords on every site) know that it's not trivial for their password to be found?<p>- Why force people to change their passwords?
The folks asking for snail mail are joking right? Snail mail is an obsolete relic of a time gone by, and belongs in the dust-bin of history alongside buggy whips, wood fired steam engines, betamax, etc.<p>Personally I'd pay to be able to <i>stop</i> getting snail mail. If it weren't for the one or two rare pieces of semi-important crap that show up, sent by dinosaurs that don't realize we aren't living in the 20th century anymore, I'd quit checking my physical mailbox once and for all. I mean, it's not like 99/100'ths of what comes in there isn't junk catalogs, fundraising letters from politicians I hate, sales flyers from stores I hate, bills that I pay online already, mail meant for the previous residents, etc. But unlike email spam, it actually costs me effort to scrape that garbage out of the box and haul it to the dumpster.<p>Blech. Personally, I want no part of it.
>I didn’t know I had a Quora account. How is it that my email or information was exposed? You may have signed up for Quora some time ago. While you might not have regularly visited or used Quora, your account remained, and this breach may have exposed some of your information, such as the email address you signed up with, the password you used, or actions you took on Quora.<p>Would be nice if websites measured user activity and could 'lock out' or otherwise release their data if they never use the site; at least, confirm with said user via email if the account is needed.<p>But in this era, I'm sure companies would prefer to keep whatever data they can get.
In other cases customers have had trouble filing individual lawsuits for damage because the companies successfully argue that the information--usually credit information--doesn't belong to them, it belongs to the credit card companies.<p>However, in this case, there is no credit card information to muddle up or confuse a case. It's only a users personal information--private messages, moderator requests, reports against other users--that has been compromised because they didn't collect credit card info. And there's an enforced "real names" policy that makes it identifiable.
From reading the details it looks like almost all user data (and every user's data) is compromised. Using the word ,,some'' should be illegal in this instance.
Is Quora legally liable for compromised data? Making companies legally liable for compromised data might be one way for them to be scrupulous about minimal data retention.
Actually, I was looking at an answer last night and couldn't see it because my account was logged out. This happens on Chrome from time to time, so I didn't think much of it. But, when trying to log back in it said my password was incorrect. This was before the announcement.<p>I wonder if some had their details reset altogether? Either way, this looks like a major breach considering the value of people who have signed up with Quora.
Quora would not allow you to read multiple answers by clicking on "similar questions" (on the side) without creating an account.<p>And then this happens!
The post states:<p>>"We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party."<p>"Some user data"<p>Then goes on to say:<p>>"For approximately 100 million Quora users, the following information may have been compromised:<p>Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
Public content and actions, e.g. questions, answers, comments, upvotes
Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)"<p>Wouldn't this be closer to "all user data was compromised"?<p>It seems absurd for them to state "some user data was compromised." That's seems like a pretty comprehensive list of user data. What else would there be?<p>This is a company that for years forced account sign up and obscured user generated content even for users who just wanted to browse unless you created an account. Seriously fuck Quora.
I've started keeping a log of all information I provide to a company: addresses, phone numbers, names, social security number, etc... I started doing it just to keep track of everywhere I need to update next time I change address, phone, cards, and emails at the same time[1], but it's been eye opening to watch the list grow.<p>I think of it as something like a reverse password manager; instead of "here's a website, what's my data", it's "here's a bit of information about myself, who has it?"<p>It's a pain keeping that list updated but at this point I'm so hooked on being able to see my personal info leak out into the world bit by bit that the friction is worth it.<p>I'm still trying to figure out what I should do with the data I have on myself, if anyone has any suggestions.<p>[1] That situation seems sketchy seeing it written down like that, so just want to explain that it's because I moved to a different country (address, phone, credit cards) and away from gmail at the same time.
How were the passwords hashed? Wait. You know what? At this point it doesn’t matter. Using the same password everywhere is a broken concept and password managers are still unadopted. At this point the only solution is either SSO from a few point of trust (facebook, google, twitter, etc.) or/and password managing+generation by default (safari, iOS)
I hate Quora for the dark pattern practices of forcing you to login before you can see anything.<p>In a way this is a great example of why you shouldn’t collect data Willy nilly.<p>I really really really hope we get some sort of a law where companies are seriously liable for data breaches.<p>US has a ton of tech companies but very little regulation that protects the customer.
This is seriously distressing. This underscores the reasons why you should never use a third party messaging system for any sort of private conversations.<p>Why is this so easy? Is it impossible for a well-funded company to keep it's user information private? If so, can we act like it?
Several friends and I had our Steam passwords stollen. Lesson I learned was not to have same password to more than one service because gmail account was hijacked too. The perpetrator stopped at changing gmail language to Polish, thank God. But, damage he/she could have done was much greater. It was before "login attempt from unknown location" messages. It was a drag to bring all back but we did it. The lesson also is: joining any online service/site we must accept the risk anything you provide could be stollen at some point and modify our usage phylosophy of these services.
This is another reason why I don't like the "social logins". You give them so much data. They strongly encourage you to use the social login instead of using the regular email sign up.
I received an email from Quora informing me of the breach, but I do not have an account. I even used the "Forgot Password" function to confirm - why did I receive this email?
Bruce Schneier says data is a toxic asset. He's right. There should be (will be?) laws preventing collection of most data, and punitive liability when collected data is breached.
> While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.<p>According to my trusted Password Safe (<a href="https://pwsafe.org/" rel="nofollow">https://pwsafe.org/</a>) I call about 400 accounts my own - each one with a unique random password.
1. Force everyone to register to get access to content.
2. Leak that data.
3. ...
4. Profit. Not sure how this part works though.<p>I hope lesson should be learned: don't force users to register just because you can
I somehow got added into the Quora ecosystem some time back, without even actually signing up from memory. Just one day I'm getting notifications that someone is talking to me on Quora.<p>Even though I didn't explicitly set up an account, it seemed to have done it for me already. I just assumed it was one of those shitty content aggregation platforms like the sorts that steal all the posts from Stackoverflow and rebrand them.
From now on, I will assume all my user-data will be compromised, we need a new way to store the user-data, it will be a balance of convenience and security, but more importantly, it needs to be temporal, i.e. the use-data shall not be static anymore, something like a virtual and temporarily generated password for each session?
It's quite obvious that Quora doesn't care a lot about user data. Just for looking at the website, you need to login with Facebook and in fact other users could at some point even see which parts of the site you browse to without informing you. Kind of sucks, luckily deleted my account half a year ago.
Is it really that hard to keep a database secure?<p>Genuine question - not sarcasm. I would love to know how the attackers got in in the first place.<p>Usually when I hear about a breach, my first reaction is “yeah, I would have covered that from the start,” but if there’s something to be learned here, I’m all for it...
What's bad about Quora website is that, whenever you see Answer notification, when you click on it, instead of a popup for quick review, the website will go to new url for the answers.
That's why i don't use Quora much these days due to the stupid UX.
Feels good to have left Quora and gotten confirmation that they'd wiped my account shortly after they hit mainstream. (Cannot remember exactly what happened but I think they defaulted to showing every question I visited in my public timeline or something.)
The game of large numbers: so hackers obtain a million passwords. How with they decide to waste their time on any of them? In Quora's case that requires real identities and institutional affiliations will they go after the cream of the crop then?
Clearly this is well orchestrated and professional. I'm wondering what could be the motivation for such an attack. There is no monetary benefit whatsoever. Perhaps some AI company wanting to acquire solid data to train their models?
I didn't even know I had a quora account. Never continuously registered one. Got the e-mail though. Tried to log in, had to "complete my account" before I could go on.....wtf....
I deleted my account now, tho.
No mention of hashing algorithm for passwords, so until they provide that info, I would just assume they hashed with unsalted md5 or sha1 or even crc, and treat it as if they had stored them in plain text.
The solution to data security is incorporating security at the base layer, i.e. <a href="https://universallogin.io/" rel="nofollow">https://universallogin.io/</a>
Is there an email notifying all users of the incident and a separate email notifying those affected, or just one?<p>Many companies seem to use intentionally vague wording to suggest you might not have to worry.
This is the email that they sent to users: <a href="https://nfil.es/w/kHYd7t/" rel="nofollow">https://nfil.es/w/kHYd7t/</a>
> Account information (e.g. name, email address, encrypted password, data imported from linked networks when authorized by users)<p>Quora encrypted passwords instead of hashing them? FAIL.
I think we’re at a point where it’s safe to assume most of our data can be collated into a frighteningly thorough profile of our lives for anyone on the internet to see.
Not gonna shed a tear for the self-important people who wanted to slap their wisdom on everyone signed with their real name. It's as much a failure of quora as it is their own.<p>Anyone remember the glory days of facebook , when real names were "revolutionary" and all the rage? Quora followed that cargo cult (founded by facebook people, after all) and the consequences of that choice are due today. We really need to introduce the concept of "expiring data" on the internet, personal or not. After a reasonable amount of inactivity, identities shuold be anonymized.
Can anyone explain how is Quora still relevant? How did they raise the $85M for their series D only last year?<p>To me it seems its going the way of Yahoo Answers, if it already hasn't. It might be gaining some traction in developing countries but the ratio of signal:noise seems really low at this time, coupled with terrible UI.
I'm experiencing a sense of schadenfruede because I'm embittered by Quora's arrogant "real names" policy. They won't "let me" contribute.<p>Nothing insightful. I'm just here to kick them while they're down.
Quora is an absolute shit show. It won't allow you to read content on mobile web EVEN WHEN YOU ARE SIGNED IN! To top it they disallow any screenshots of the same! Check here <a href="https://pbs.twimg.com/media/Dc-9ldcU8AUr23v.jpg" rel="nofollow">https://pbs.twimg.com/media/Dc-9ldcU8AUr23v.jpg</a>
<a href="https://pbs.twimg.com/media/Dc-9ldbVAAALJfX.jpg" rel="nofollow">https://pbs.twimg.com/media/Dc-9ldbVAAALJfX.jpg</a><p>Even though I have been a heavy quora user (reader and contributor), I would be really happy if it died a really painful and stupid death
Barely a month back in the facebook data breach thread in HN, I was downvoted and my comment removed when I said that it has become a fashion for the top 500 web/e-com companies to come one day and announce data breach and walk away. I said there that it all looks to me as part of a conspiracy theory where they hide behind a breach to sell data/ buy data en masse for marketing purposes.