The company has determined that attackers were able to access names, email addresses, hashed passwords, and data imported from linked networks. They were able to collate users questions, answers, comments, upvotes, direct messages, answer requests, and downvotes.
Much of this information was already available via user's profiles. However, the inclusion of email addresses, direct messages, and other private information is significant. Though attackers only ran away with hashed passwords, there could still be a security threat for some users.
Should Users Be Worried?
Due to large-scale hacks of Yahoo, Adobe, etc. attackers can cross-reference the email addresses with previously discovered passwords. As a result, your account may be vulnerable if you use the same details across multiple platforms. The way the hashing is implemented is also an important consideration.
Regardless, an attacker could also look through private information such as questions and DMs to tailor social engineering or phishing attacks. Thankfully, Quora says that it's unlikely user's identities will be stolen:
“It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or social security numbers,” said the company.
It has revealed little about the details of the attack other than that it was “compromised as a result of unauthorized access to one of our systems by a malicious third party”. Until we know all the relevant information, it pays to be extra cautious.
Quora is currently investigating the causes of the attack with help of its internal security and an outside digital forensics and security firm. It has also informed law enforcement. Users who may have been affected have been logged out of their account and forced to reset their password.
It follows a hack of hotel chain Mariott last week that may have exposed passport details, emails, physical addresses, and phone numbers of 500 million people.