Formspring, the Social Q&A portal focused on conversations and personal interests, admitted to being breached on Tuesday. The compromise led to the loss of 420,000 hashed passwords, forcing the website to reset the passwords used by every member.
Mirroring the recent LinkedIn breach, Formspring said that they were alerted to a forum post that contained 420,000 password hashes. The suspicion at the time was that they were from their own users. Engineers shutdown the Formspring service and confirmed the passwords were indeed theirs.
In less than a day, an investigation revealed that the attacker(s) had “broken into one of our development servers and was able to use that access to extract account information from a production database,” a blog post explains.
The vulnerability was fixed, and in addition to resetting everyone’s passwords and sending alert emails, the social portal corrected their security.
“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again,” the post continued.
There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident.
Interestingly, while it gained popularity early on, most users who were reporting that they had received a password reset notice had forgotten they even registered with the service.
Related News: Best Buy Warns Customers of Account Hacking Attempts
Related Insight: The Most Prevalent Attack Techniques Used By Hackers
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
