Hackers broke into a development server at Formspring, a social Q&A site, and made off with the password hashes for 420,000 users and laterFormspring posted them online. The company has reset all of the users’ passwords and said it also has changed the way that it handles passwords.

Formspring officials said on Tuesday that they had discovered the incident that morning and later discovered that some of the hashes had been posted online. The company decided to reset the passwords for all of its users.

“We were notified that approximately 420,000 password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords. The post did not contain usernames or any other identifying information,” the company said in a blog post.

“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.”

Formspring officials said that the company was using SHA-256 with random salts to protect user passwords. After the incident, the company switched to Bcrypt, a hash algorithm that’s based on Bruce Schneier’s Blowfish algorithm. SHA-256 is one version of the SHA-2 hash function and there are known security issues with it. 

This leak is simply the latest in a years-long series of such incidents. One of the more recent breaches was the attack on LinkedIn, the huge professional social network, in which the hashes of more than 6 million users’ passwords were leaked. In that case, LinkedIn was using SHA-1, an older and less secure hash function, to secure user passwords, and one woman affected by the breach later sued the company for failing to take adequate security measures.

Categories: Data Breaches

Comments (5)

  1. Anonymous
    1

    The major ‘known security issue’ is only hashing once.  SHA-256 with enough iterations via a known good PBKDF2 function is equivalent to bcrypt with enough iterations (the numbers are different for the two).  For PBKDF2 in 2012, OWASP recommends at least 64,000 iterations on their Password Storage Cheat Sheet, doubled every 2 years.

  2. Anonymous
    2

    And also not allowing development servers access to production databases. I’m just sayin

  3. Anonymous
    3

    Not allowing users to choose passwords like 12345, password, jennifer, P@$$w0rd, J3nnifer!, and so on is a separate and important step, once any kind of hashing is implemented.

     

  4. plaumppsymn
    5

    However, there are just common misconceptions along least With hard stomach repetition you have it! freeconsumerreviews.org/flex-belt-reviews Keep for ten flat consider often the muscles and for the abdominal workouts in the water demands patience.

Comments are closed.