Security Experts:

Formspring Hacked - 420,000 Passwords Leaked

Formspring, the Social Q&A portal focused on conversations and personal interests, admitted to being breached on Tuesday. The compromise led to the loss of 420,000 hashed passwords, forcing the website to reset the passwords used by every member.

Mirroring the recent LinkedIn breach, Formspring said that they were alerted to a forum post that contained 420,000 password hashes. The suspicion at the time was that they were from their own users. Engineers shutdown the Formspring service and confirmed the passwords were indeed theirs.

Cybercrime

In less than a day, an investigation revealed that the attacker(s) had “broken into one of our development servers and was able to use that access to extract account information from a production database,” a blog post explains.

The vulnerability was fixed, and in addition to resetting everyone’s passwords and sending alert emails, the social portal corrected their security.

“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again,” the post continued.

There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident.

Interestingly, while it gained popularity early on, most users who were reporting that they had received a password reset notice had forgotten they even registered with the service.

Related News: Best Buy Warns Customers of Account Hacking Attempts

Related InsightThe Most Prevalent Attack Techniques Used By Hackers

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.