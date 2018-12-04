Question-and-answer behemoth Quora has announced a major security breach that may have impacted as many as 100 million users.

The San Francisco-based company, which has raised more than $220 million in funding since its inception in 2009, said “some user data” was compromised following “unauthorized access to one of our systems by a malicious third party,” according to a blog post by Quora cofounder and CEO Adam D’Angelo.

A separate email was sent to affected Quora users informing them of the breach.

D’Angelo, who served as chief technology officer (CTO) at Facebook before starting Quora, said the breach was spotted on Friday (November 30) and may have compromised a host of personal details, including names, email addresses, data imported from other third-party sites, and encrypted passwords. The breach may also include content and related data, such as questions posted, comments made, downvotes, direct messages, and more. Any questions and answers that were posted anonymously will not be part of the breach.

Quora’s last big funding arrived via an $85 million series D round in April, 2017, at which point the platform claimed 190 million visitors. By the following year, Quora claimed 300 million monthly visitors. It is worth noting here that all of those users don’t necessarily have an account with Quora — it is possible to read the answers to some questions when searching through Google. Quora has not revealed how many active accounts it hosts, though 100 million users doesn’t sound like it would be too far short of its entire user base. But in a separate FAQ section around this breach, the company said:

Not all Quora users are affected, and some were impacted more than others. We are notifying those affected of the incident, and will provide updates as they are available.

Breaches

A day rarely goes by without some form of data breach hitting the headlines, but a breach on this scale highlights the role big technology companies play as gatekeepers of our personal information. Facebook recently reported a data breach that affected 50 million accounts, while Google shuttered Google+ for consumers after an audit revealed a potential exploit — though there is no evidence any data was compromised on that occasion.

As for Quora, it’s not entirely clear whether it went through the proper protocol from a European standpoint — the recently introduced General Data Protection Regulation (GDPR) regulations require all companies to report such data breaches to the appropriate European authorities within 72 hours, and failure to do so can result in massive fines. Quora does seem to have notified its users roughly within the timeframe, but we’re still trying to establish whether it also notified the relevant authorities.

Quora said it has logged out all users who may have been affected, and it has also invalidated passwords for those who used a password to log in to Quora.

“We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements,” D’Angelo added. “We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.”

Meanwhile, here is the full email sent out to affected Quora users today: