Formspring has announced that a recent security breach resulted in the exposure of a significant number of user passwords.
"A Formspring spokesperson told CNET that the company was tipped off to breach by someone who spotted about 420,000 passwords posted to a security forum that appeared to come from Formspring," writes CNET News' Steven Musil.
"After being informed of this discovery, the operators of the platform soon managed to trace the leak to one of their development servers which had allowed an attacker to access a production server and said that they successfully closed it," The H Security reports.
"In response to this, we have disabled all users passwords," company CEO Ade Olonoh wrote in a blog post. "We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords. Users will be prompted to change their passwords when they log back into Formspring."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Formspring officials said that the company was using SHA-256 with random salts to protect user passwords," writes Threatpost's Dennis Fisher. "After the incident, the company switched to Bcrypt, a hash algorithm that's based on Bruce Schneier's Blowfish algorithm. SHA-256 is one version of the SHA-2 hash function and there are known security issues with it. "
"To their credit, Formspring appears to have dealt with the security breach quickly and fairly transparently," writes Sophos' Graham Cluley. "There are undoubtedly lessons to be learnt from the hack -- and users would be wise to ensure that they take heed of the advice to use unique, hard-to-guess passwords on different websites -- but I'm much more impressed with how Formspring has handled this incident than, say, LinkedIn."