Quora disclosed yesterday that approximately 100 million user accounts were compromised in a breach detected on Friday the 30th of November (Quora blog post by Adam D'Angelo, December 3). The data taken includes account information (name, email address, encrypted password), account-related data (public actions, content posted, votes), data imported from social networks for users who connected those, non-public actions (downvotes, direct messages), and questions and answers for users who chose to be visible (which is the default and was the case for most accounts). The disclosure is within four days of detection, which is comfortably within GDPR notification timelines and is, in 2018-disclosure-environment terms, fast.
The technical detail Quora has shared is limited. The company has stated that "a third party gained unauthorised access to one of our systems" and that the investigation is ongoing. The password storage is bcrypt with a salt, which is the right answer in 2018 and means that the credential-stuffing risk against re-used passwords on other services is the principal credential-related concern rather than direct password compromise of Quora accounts. The remediation is forced password reset for affected users and session invalidation. Quora has notified law enforcement, has hired a digital-forensics firm, and is in the process of communicating with affected users. The operational shape of the disclosure is, in short, well-handled.
For the customer briefings, the Quora case is a useful contrast with the Marriott case from earlier this week. Marriott had a four-year unauthorised-access window, a half-billion-record exposure, a passport-number-and-detailed-travel-pattern dataset that has substantial counterintelligence value, and an acquisition-integration root cause that points to organisational rather than technical failure. Quora has a roughly week-long disclosure window, a 100-million-record exposure, a content-and-credential dataset that is operationally less sensitive than Marriott's, and a disclosure posture that suggests the company's operational handling of the incident is competent. The two cases together are useful for illustrating the range of incident-disclosure quality and for talking about what good looks like.
For the wider GDPR-enforcement conversation, the Quora disclosure will not produce the kind of regulatory action the Marriott case will. The detection-to-disclosure window is short, the credential-handling is appropriate, the affected-data sensitivity is moderate, and the customer-side remediation is direct. The enforcement attention will be on the cases where the structural posture was poor; the cases where the operational handling was sound will produce minor regulatory engagement and routine documentation requirements.
For our customer estates, the standard credential-stuffing-protection posture against the Quora-derived attempts is already in place. The Splunk searches and rate-limit rules are tuned for the elevated-baseline post-disclosure period. The customer-organisation user populations who use Quora and have password-reuse with corporate credentials are being identified through the standard cross-reference workflow and forced through password reset and MFA enrolment as needed. The aggregate operational cost of the response is low.
The personal-blog observation is that the Quora handling is the kind of disclosure that should be more common than it is. The technical content is sufficient without being overwrought. The customer-action guidance is clear. The legal-and-regulatory posture is straightforward. The CEO's name is on the post. None of these are revolutionary moves. They are, however, the moves that the disclosure environment has not consistently produced in 2018 and that the Marriott case, in particular, has demonstrated some companies are unable to make. The Quora case is a useful baseline reference.