Formspring suffers security breach – 420k password hashes leaked, all passwords reset [UPDATE]

By on

Formspring, used by many for the purposes of answering questions, has suffered a massive security breach with 420,000 password hashes posted on a security fourm. As such, the company has disabled all passwords and asked users to reset them.

“We learned this morning that we had a security breach where some user passwords may have been accessed,” Ade Olonoh, CEO of Formspring, wrote on their blog. “In response to this, we have disabled all users passwords.  We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords. Users will be prompted to change their passwords when they log back into Formspring.”

But you wouldn’t get that when you receive an email from them – they say “security reasons”. It would be nice to have some transparency because not everyone is going to look through their blog to find out what had cause this “security” problem. Though, one suggestion was to not panic people and spread this out to the web – well too late for that now.

Answering our questions, a spokesperson for Formspring said that they were alerted 420,000 password hashes were posted and verified that these were from their databases. The company confirmed that the passwords were salted, but will be upgrading their systems to support BCrypt.

On the question on how did the intruder gain access to the server, the spokesperson said in an email, “We found that someone had accessed into one of our development servers and was able to extract account information from a production database.”

“We were able to immediately fix the hole, and are reviewing our internal security policies and practices to help ensure that this never happens again.”

Update [2:20PM] – we updated the story to include answers from Formspring.

Join the Conversation

  • http://twitter.com/pug Ef Rodriguez

    A little explanation via the email would have been nice. Or a link to a blog post where the cause is described in detail. Disappointing.

    • http://techgeek.com.au Terence Huynh

      It did catch me by surprise when I saw an email from them. I think most people wouldn’t have checked the blog post.