updated 12:24 pm EDT, Thu July 12, 2012
Formspring resets passwords for all users
Social network Formspring has reset passwords for all of its users following a security breach that led to about 420,000 users' passwords being posted online. In a post on the company's blog, Formspring acknowledged that someone broke into one of its development servers and used that access to extract user passwords from a production database. As a precautionary measure, Formspring then reset all of its user passwords and upgraded its encryption systems.
Formspring says it was alerted that about 420,000 password hashes had been posted to a security forum. The post did not contain usernames or other identifying information, but an examination of Formspring's systems revealed the vulnerability that had permitted the breach. The company says it has fixed the security hole and upgraded its hashing mechanisms from sha-256 with random salts to bcrypt.
Users logging into Formspring for the first time since the breach will now be prompted to change their passwords. Formspring has also sent out emails to all users asking that they reset their passwords. Users that log in using their Facebook accounts can still do so without changing anything, though Formspring recommends that those users change their Formspring accounts if they have one.
The Formspring breach comes just over a month after similar password leaks occurred at LinkedIn, Last.fm, and eHarmony. In the case of LinkedIn, 6.5 million user passwords were revealed, with at least 60 percent of them being cracked less than three days after public distribution.