Formspring resets millions of passwords amid breach

Formspring resets millions of passwords amid breach

Summary: Formspring has reset all of its user passwords, following a breach of its systems today.

SHARE:
TOPICS: Security, Outage
0

update Users of the popular question-and-answer site Formspring have received a brief email today stating that "for security reasons", their password has been disabled, and they will need to reset it when they log back in.

Formspring's email reads: For security reasons, we have disabled your password and ask that you reset it. When you log back into Formspring, you will be prompted to change your password
(Screenshot by Michael Lee/ZDNet Australia)

The company said that the reset has been carried out because its systems were breached earlier today. Formspring's founder Ade Olonoh wrote on the company's blog that Formspring believes some user accounts were accessed in the attack. He wrote that while it is inconvenient, the choice has been made to reset all accounts in order to "play it safe".

Formspring has since told ZDNet Australia that it discovered around 420,000 password hashes posted to a security forum, and grew suspicious that they could belong to Formspring users — even though they did not contain usernames or any identifying information.

Hackers were able to compromise a development server, and, through this, extract account information from a production database. The company is now reviewing its security practices to ensure that a repeat of the incident does not occur.

The algorithm used to hash passwords at the time of the leak was SHA-256 and the company was vigilant enough to use random salts. After this attack, however, it has updated its security stance to use bcrypt.

At the end of November 2011, Formspring laid claim to 27 million registered members.

Updated at 2.52pm, Wednesday, 11 July 2012: added additional comment from Formspring.

Topics: Security, Outage

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion