Formspring hacked, 28 million users told to change their passwords

Filed Under: Data loss, Featured, Privacy, Social networks

Username/password. Image from ShutterstockFormspring is the latest in the seemingly unending list of websites to have suffered a security breach - with the password hashes of at least 420,000 users compromised and posted to the internet.

A blog entry posted by Formspring's CEO and founder Ade Olonoh explains that the passwords of all 28 million users have been disabled (after all, only 420,000 have been posted on the net - but who knows how many the hackers may have accessed?).

Formspring blog

According to the firm, usernames and other identifying information were not published alongside the stolen password hashes. Furthermore, in a positive sign, users were told that the SHA-256 hashed passwords were salted - and that Formspring is now tightening security further by introducing stronger bcrypt cryptographic hashes.

Formspring also says that it has identified the security hole that allowed a hacker to breach its systems:

"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database."

To their credit, Formspring appears to have dealt with the security breach quickly and fairly transparently.

There are undoubtedly lessons to be learnt from the hack - and users would be wise to ensure that they take heed of the advice to use unique, hard-to-guess passwords on different websites - but I'm much more impressed with how Formspring has handled this incident than, say, LinkedIn.

If you're interested (and you should be!) listen to Naked Security stalwarts Paul Ducklin and Chet Wisniewski discussing password complexity and reuse in this podcast:

Listen now:

(Duration 14'35", size 10.5MBytes)

Listen later:

Download Techknow podcast

Login form image, courtesy of Shutterstock.

, , ,

You might like

10 Responses to Formspring hacked, 28 million users told to change their passwords

  1. SysAdmin · 1185 days ago

    Is there a repository of hacked accounts so admins can search for to see if anybody in their firm is impacted? Because inevitably some users of that site have the same password for their corporate network...

  2. Ohlmann · 1185 days ago

    And to see the exact opposite, a french newspaper had a bug in comment system that were giving away your password in clear text in a google-referenced URL. They took two day before doing something, and tried to blame pirate.

  3. dekks herton · 1185 days ago

    Given the number of forums and websites one can belong to, how is one supposed to remember or store many "unique and hard to guess passwords" in a secure manner without either writing them down or using a browser password saver?

    Another question is is what most people post on forums worth it?

    • Ian · 1185 days ago

      "how is one supposed to remember or store many "unique and hard to guess passwords" in a secure manner without either writing them down or using a browser password saver?"

      You're not supposed to remember them all. Just use KeePass or LastPass. Or use some kind of algorithm to generate passwords from the sites' names.

    • Nigel · 1184 days ago

      ...or, if you're running Mac OS X, you can use KeePassX.

  4. Milbot · 1185 days ago


    Quite easily, use a software package like KeePass or LastPass with a strong master password.

    You only need to remember one password (master password) and you can copy and paste your website password(s).

    No need to remember many, also means no excuse not to use different passwords.

  5. Robert Wurzburg · 1184 days ago

    I respectfully disagree with using password managers. They can be hacked.

    I use an electronic memory typewriter, which I can update at any time and print a list
    of passwords, website names, usernames, logins, etc. I keep backup hard copies
    in a safety deposit box, among other secure places.

    When not in use, the lists are kept under lock and key. The memory module to the
    electronic typewriter can be uninstalled, or a backup uploaded to a flash card, and
    I can delete everything on the typewriter, and restore it if needed. The flash card can
    be stored in a seure location, and so can duplicate backups.

    The typewriter has no Internet connectivity, and no networking ability. It CANNOT be
    hacked at all. The typewriter can be locked up too when I go out to lunch or leave the
    premises for any reason.

    These are the ONLY secure methods I know of to have, maintain, and secure pass-
    words and logins. Anything else is less secure.

    • philduran · 1184 days ago

      can someone read the impacts on your ink ribbon? I would think that ribbon you have there is a nice log of everything you typed recently. . .

    • Milbot · 1184 days ago

      You have to draw a line in the sand between usability and security. Its a trade off.

      I'm sorry Robert, but your average Joe isn't going to use something as complicated as an electronic typewriter. Its just too hard. We need to encourage methods that are more secure then password reuse, but not so secure they aren't used.

      I agree, your method is more secure due to a lack of connectivity, but it too can be "hacked".

      What if you forget and leave it on your desk and head off to make a cuppa? You say you wont, but one day you will and its more likely this will happen well before someone hacks my master password in KeePass.

  6. John · 1183 days ago

    Use Password Safe, it's free, open source and portable.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley