BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Formspring resets millions of passwords amid breach

From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 12 Jul 2012 00:15:05 -0400
http://www.zdnet.com/formspring-resets-millions-of-passwords-amid-breach-7000000643/

Users of the popular question-and-answer site Formspring have received
a brief email today stating that "for security reasons", their
password has been disabled, and they will need to reset it when they
log back in.

The company said that the reset has been carried out because its
systems were breached earlier today. Formspring's founder Ade Olonoh
wrote on the company's blog that Formspring believes some user
accounts were accessed in the attack. He wrote that while it is
inconvenient, the choice has been made to reset all accounts in order
to "play it safe".

Formspring has since told ZDNet Australia that it discovered around
420,000 password hashes posted to a security forum, and grew
suspicious that they could belong to Formspring users — even though
they did not contain usernames or any identifying information.

Hackers were able to compromise a development server, and, through
this, extract account information from a production database. The
company is now reviewing its security practices to ensure that a
repeat of the incident does not occur.

The algorithm used to hash passwords at the time of the leak was
SHA-256 and the company was vigilant enough to use random salts. After
this attack, however, it has updated its security stance to use
bcrypt.

At the end of November 2011, Formspring laid claim to 27 million
registered members.

Updated at 2.52pm, Wednesday, 11 July 2012: added additional comment
from Formspring.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: