420K Password Hashes Leaked in Formspring Breach

(Ping! Zine Web Tech Magazine) – Users of social site Q&A Formspring were left scrambling to reset passwords after the social network admitted it had been the victim of a security breach on Tuesday.

The site said a hacker successfully breached one of its “development servers.” 420 thousand password hashes were later leaked. However, they did not contain corresponding usernames. The company quickly moved to address the issue.

“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security.  We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again,” commented Formspring in a blog post.

Formspring allows users to post Q&A questions, thus sharing their viewpoints on relevant issues. Meanwhile, the site is using the occasion to urge its users to create stronger passwords and provided tips on how to do so via its website.

“There are undoubtedly lessons to be learnt from the hack – and users would be wise to ensure that they take heed of the advice to use unique, hard-to-guess passwords on different websites – but I’m much more impressed with how Formspring has handled this incident than, say, LinkedIn,” said Sophos senior technology consultant Graham Cluley when discussing the issue on the Naked Security blog.

According to Sophos, users being asked to reset passwords accounted for 28 million people. Professional networking site LinkedIn faced its own high profile breach last month after a hacker leaked millions of passwords from the site.