Formspring resets millions of passwords amid breach

Formspring has reset all of its user passwords, following a breach of its systems today.

update Users of the popular question-and-answer site Formspring have received a brief email today stating that "for security reasons", their password has been disabled, and they will need to reset it when they log back in.

Formspring's email reads: For security reasons, we have disabled your password and ask that you reset it. When you log back into Formspring, you will be prompted to change your password
(Screenshot by Michael Lee/ZDNet Australia)

The company said that the reset has been carried out because its systems were breached earlier today. Formspring's founder Ade Olonoh wrote on the company's blog that Formspring believes some user accounts were accessed in the attack. He wrote that while it is inconvenient, the choice has been made to reset all accounts in order to "play it safe".

Formspring has since told ZDNet Australia that it discovered around 420,000 password hashes posted to a security forum, and grew suspicious that they could belong to Formspring users — even though they did not contain usernames or any identifying information.

Hackers were able to compromise a development server, and, through this, extract account information from a production database. The company is now reviewing its security practices to ensure that a repeat of the incident does not occur.

The algorithm used to hash passwords at the time of the leak was SHA-256 and the company was vigilant enough to use random salts. After this attack, however, it has updated its security stance to use bcrypt.

At the end of November 2011, Formspring laid claim to 27 million registered members.

Updated at 2.52pm, Wednesday, 11 July 2012: added additional comment from Formspring.