Quora recently acknowledged that they were hacked by a malicious third party. In a classic tale, user data was stolen through a breach. Quora has alerted the authorities. The breach has implications for around 100 million users:
- Account information, e.g. name, email address, encrypted password (hashed using bcrypt with a salt that varies for each user), data imported from linked networks when authorized by users
- Public content and actions, e.g. questions, answers, comments, upvotes
- Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)
One interesting find here in my opinion is that Quora uses bcrypt to encrypt passwords. That’s a pretty standard way that people do it when they build apps. That’s how I encrypted user passwords this summer at my internship. I guess I expected Quora to have maybe a proprietary way of encrypting passwords. Maybe bcrypt is just that good. I don’t know.
https://blog.quora.com/Quora-Security-Update
Leave a Reply
You must be logged in to post a comment.