Formspring is the latest in the seemingly unending list of websites to have suffered a security breach – with the password hashes of at least 420,000 users compromised and posted to the internet.
A blog entry posted by Formspring’s CEO and founder Ade Olonoh explains that the passwords of all 28 million users have been disabled (after all, only 420,000 have been posted on the net – but who knows how many the hackers may have accessed?).
According to the firm, usernames and other identifying information were not published alongside the stolen password hashes. Furthermore, in a positive sign, users were told that the SHA-256 hashed passwords were salted – and that Formspring is now tightening security further by introducing stronger bcrypt cryptographic hashes.
Formspring also says that it has identified the security hole that allowed a hacker to breach its systems:
"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database."
To their credit, Formspring appears to have dealt with the security breach quickly and fairly transparently.
There are undoubtedly lessons to be learnt from the hack – and users would be wise to ensure that they take heed of the advice to use unique, hard-to-guess passwords on different websites – but I’m much more impressed with how Formspring has handled this incident than, say, LinkedIn.
If you’re interested (and you should be!) listen to Naked Security stalwarts Paul Ducklin and Chet Wisniewski discussing password complexity and reuse in this podcast:
(Duration 14’35”, size 10.5MBytes)
Login form image, courtesy of Shutterstock.