Social Media Site Formspring Breached420,000 Password Hashes Posted Online
Social media site Formspring reset all its users' passwords after 420,000 password hashes were posted to a security forum following a breach.
The posting on the security forum didn't include usernames or any other identifying information, according to a message on the Formspring blog.
"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach," the message says. "We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database."
Formspring reports that it fixed the security gap and upgraded its hashing mechanisms from sha-256 with random salts to bcrypt. "We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again," Formspring says.
Breaches Raise Concerns
The Formspring incident is the latest in a series of breaches involving password hashes.
LinkedIn confirmed in June that a breach of its network compromised hashed passwords associated with nearly 6.5 million accounts.
The passwords were posted on an underground hacker forum, and LinkedIn acknowledged that some of the passwords were decoded and published. LinkedIn, which has about 150 million global users, locked down and protected all accounts associated with the decoded passwords and has deactivated those potentially breached and exposed passwords.
In another recent incident, the online dating website eHarmony warned a "small fraction" of its users of a June 6 breach that likely exposed hashed passwords associated with online accounts.
According to the online technology website ArsTechnica, about 1.5 million of the unsalted hashes linked to plaintext passwords that have been cracked so far appear to belong to users of eHarmony.
Security expert Marcus Ranum points out that relying on logins and passwords is inadequate. "If you're part of an organization that's supporting anything that requires some kind of a password login, honestly, you should be looking at what you can do above and beyond passwords to protect your users against the inevitable time when their passwords are compromised," he says.