What is a Quora bot

Hackers copy data from 100 million users of the Quora question portal

The operators of the question portal Quroa are currently warning around 100 million users via email that unknown attackers have successfully attacked the website and had access to various user data. Quora claims to have discovered the incident last Friday.

A warning from the Quora officials indicates that the intruders were able to copy direct messages, email addresses, comments and passwords, among other things. Credit card details and anonymously written posts should not be affected by the incident. The full extent is currently unclear and investigations are ongoing.

At Quora you can ask questions of all kinds, which the community answers. You can also subscribe to users and follow topics. The information service has existed since 2009.

Password protection unclear

The website operators ensure that passwords are protected on the servers (hash plus salt). However, it is currently unclear which hash function is used to treat the data. A response to the request from heise security is still pending.

If the MD5 method, which has long been considered unsafe, were to be used without Salt, the attackers could in most cases reconstruct the captured passwords in a comparatively short time. It remains to be hoped that a method that is currently considered secure, such as bcrypt, will be used to protect the data more effectively against brute force attacks.

For security reasons, Quora has invalidated passwords and logged users out. Anyone who uses the service must assign a new password the next time they log in. If the compromised password is also used in other online services, it should also be changed there.

How the attackers got into the system has not yet been clarified. Law enforcement and forensic and security firms are currently working on the incident.

[UPDATE, 04.12.2018 10:30 am]

The mails to affected users show that the passwords are hashed with Salt on the servers. Body text is adapted.

[UPDATE, 12/12/2018 9:00 a.m.]

A Quora spokesman informed us that the passwords are protected with the bcrypt method plus salt. According to what we know today, this is considered certain.

Read comments (24) Go to homepage
Ad ad