Hackers broke into a development server at Formspring, a social Q&A site, and made off with the password hashes for 420,000 users and later posted them online. The company has reset all of the users’ passwords and said it also has changed the way that it handles passwords.
Formspring officials said on Tuesday that they had discovered the incident that morning and later discovered that some of the hashes had been posted online. The company decided to reset the passwords for all of its users.
“We were notified that approximately 420,000 password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords. The post did not contain usernames or any other identifying information,” the company said in a blog post.
“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.”
Formspring officials said that the company was using SHA-256 with random salts to protect user passwords. After the incident, the company switched to Bcrypt, a hash algorithm that’s based on Bruce Schneier’s Blowfish algorithm. SHA-256 is one version of the SHA-2 hash function and there are known security issues with it.
This leak is simply the latest in a years-long series of such incidents. One of the more recent breaches was the attack on LinkedIn, the huge professional social network, in which the hashes of more than 6 million users’ passwords were leaked. In that case, LinkedIn was using SHA-1, an older and less secure hash function, to secure user passwords, and one woman affected by the breach later sued the company for failing to take adequate security measures.