Formspring breach and leak triggers massive password reset

Formspring, a social Q&A website popular with teenagers, is the latest site to have its servers breached and the passwords of its users compromised by hackers.

According to a blog post by Formspring CEO Ade Olonoh, the company was notified that 420,000 password hashes that seem to belong to its users have been posted to a security forum, and immediately began an internal investigation.

“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach,” wrote Olonoh. “We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.”

The company immediately disabled the passwords of all of its 28 million members.

They then proceeded to patch the hole through which the attacker gained access to the aforementioned servers, and upgraded their hashing mechanisms from sha-256 with random salts to bcrypt.

Formspring deserves great praise regarding how they handled this breach, the notification process about it, and for the fact that the leaked password hashes were salted.

Users will be prompted to change their passwords when they log back into Formspring, and Olonoh shared some tips about choosing strong passwords.