![dataloss logo](/images/dataloss-logo.png)
BreachExchange mailing list archives
Formspring resets millions of passwords amid breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 12 Jul 2012 00:15:05 -0400
http://www.zdnet.com/formspring-resets-millions-of-passwords-amid-breach-7000000643/ Users of the popular question-and-answer site Formspring have received a brief email today stating that "for security reasons", their password has been disabled, and they will need to reset it when they log back in. The company said that the reset has been carried out because its systems were breached earlier today. Formspring's founder Ade Olonoh wrote on the company's blog that Formspring believes some user accounts were accessed in the attack. He wrote that while it is inconvenient, the choice has been made to reset all accounts in order to "play it safe". Formspring has since told ZDNet Australia that it discovered around 420,000 password hashes posted to a security forum, and grew suspicious that they could belong to Formspring users — even though they did not contain usernames or any identifying information. Hackers were able to compromise a development server, and, through this, extract account information from a production database. The company is now reviewing its security practices to ensure that a repeat of the incident does not occur. The algorithm used to hash passwords at the time of the leak was SHA-256 and the company was vigilant enough to use random salts. After this attack, however, it has updated its security stance to use bcrypt. At the end of November 2011, Formspring laid claim to 27 million registered members. Updated at 2.52pm, Wednesday, 11 July 2012: added additional comment from Formspring. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Formspring resets millions of passwords amid breach Jake Kouns (Jul 12)