Someone's taken a wander through the systems of question-and-answer website Quora, pilfering account details of 100 million users.
The organisation announced on Monday this week: “On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems.”
It said it has “taken steps to contain the incident”.
Breached data includes account information, public content and actions (such as comments, upvotes and actions), and non-public actions (answer requests, downvotes, and direct messages, the latter used by only “a small percentage” of users).
The account data involved included user IDs, email addresses, and (it's good to report, for once – El Reg) fully encrypted passwords. Quora's post said it will log out all affected users, and push a password reset.
Magecart fiends punch card-skimming code in Sotheby's Home websiteREAD MORE
For everyone else, there's this advice: “While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.”
The breached also included “data imported from linked networks,” if a user had given permission for that to be done from their account.
So it looks to The Register there's a risk that someone using their real name on Quora, but not on Twitter, could be doxxed as part of this leak.
Quora believes it's “identified the root cause and taken steps to address the issue”, an outside organisation is assisting, and law enforcement has been notified. ®