Formspring, the social question and answer website, disabled all their users’ passwords yesterday because of a security breach. They advised their users to change their passwords immediately and to use stronger passwords in place of their old ones.
Today, Formspring is relieved to announce that the breach was resolved. In their blog post, they gave details as to what occurred yesterday.
According to Formspring, they were notified that, “approximately 420k password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords.”
Thought the said post did not contain usernames or any other identifying information, after they were able to confirm that the hashes were indeed obtained from their system, they locked down their system in order to properly investigate the root of the breach.
They were able to identify that someone broke into one of their development servers and was able to use that access to extract account information from a production database.
“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security,” Formspring stated in their post. “We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again.”
Formspring reminded their users not to put their email address, address or phone number in their Formspring profile, and to remember to log off their accounts after using especially when using public or shared computers. And as always, having an updated antivirus is pertinent to keeping your computer and your online accounts safe from prying eyes.
If you’re a Formspring user and you haven’t received an e-mail from them to change your password, they encourage you to contact their support team which will be happy to help and assist you.