Formspring, the Social Q&A portal focused on conversations and personal interests, admitted to being breached on Tuesday. The compromise led to the loss of 420,000 hashed passwords, forcing the website to reset the passwords used by every member.
Mirroring the recent LinkedIn breach, Formspring said that they were alerted to a forum post that contained 420,000 password hashes. The suspicion at the time was that they were from their own users. Engineers shutdown the Formspring service and confirmed the passwords were indeed theirs.
In less than a day, an investigation revealed that the attacker(s) had “broken into one of our development servers and was able to use that access to extract account information from a production database,” a blog post explains.
The vulnerability was fixed, and in addition to resetting everyone’s passwords and sending alert emails, the social portal corrected their security.
“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again,” the post continued.
There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident.
Interestingly, while it gained popularity early on, most users who were reporting that they had received a password reset notice had forgotten they even registered with the service.
Related News: Best Buy Warns Customers of Account Hacking Attempts
Related Insight: The Most Prevalent Attack Techniques Used By Hackers