5 December 2018

What’s happened?
Online question-and-answer website Quora has been impacted by a security incident, with an unauthorised third party gaining access to the data of approximately 100 million users.
Quora is a Q&A platform where you can ask a question and get answers from other users, or answer other user’s questions with your own knowledge. Quora posts quizzes on social media to try and generate more responses and subscribers to the platform. Quora’s Q&A forums might come up in your social feeds, even if you aren’t a Quora user.
Compromised data could include:
  • Account information such as your name, email address, password, and user authorised data imported from linked networks like Google and Facebook.
  • Public content and actions such as questions, answers, comments and upvotes.
  • Non-public content and actions, such as answer requests, downvotes and, in a low percentage of cases, direct messages.

Does it affect me?
Quora is notifying affected users of the incident via email and will provide further updates as they are available.
Many people may not be aware that they have an account, because to access or respond to a Quora forum, you need to log in – either by creating a new account or by linking your Google or Facebook account.
Even if you signed up some time ago or don’t regularly visit or use Quora, your account would still be active and this breach may have exposed some of your information.
Any questions and answers that you have written anonymously are not affected by this breach as Quora does not store the identities of people who post anonymous content.

How do I stay safe?
To check if you have logged into Quora using your Facebook account, go to Settings > Apps and Websites > Logged in with Facebook. From here you will be able to see if you’ve used Quora.
There are a few simple steps you can take to help keep your information safe:
  • Change your Quora account password. Go to account settings on the Quora website and click ‘Change Password’.
  • Use a strong password and don’t re-use the same password on other websites.
  • Change your password on any accounts where you may have used the same email and password combination.
If you are concerned that your personal information has been compromised and misused, you can contact Australia’s national identity and cyber support service, IDCare, or use their free Cyber First Aid Kit.
If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).

More information
Quora is investigating the incident and has provided a security update and FAQs on their website.
Stay Smart Online has more information on creating strong passwords and protecting your personal information online.

The information provided here is of a general nature. Everyone’s circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.Disclaimer
This information has been prepared by the Australian Cyber Security Centre (‘the ACSC’). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.