Formspring service “stolen” 420 thousand user passwords
This morning, I found a letter in my mailbox:
Dear Formspring user,
For security reasons, we have disabled your password and ask that you reset it. When you log back into Formspring, you will be prompted to change your password.
Thank you for taking the time to reset your password.
The Formspring Team
As it turned out, this is not just “security reasons”. Following LinkedIn and last.fm, nearly half a million passwords were leaked from form springs.
“This morning, we detected security breaches that could have resulted in some user passwords being compromised,” wrote on his blog.Formspring CEO Ade Olonoh. “In response to this, we disabled all user passwords. We apologize for the inconvenience, but we prefer not to take risks and therefore asked all subscribers to reset their passwords. "Users will be prompted to change their passwords upon re-entering Formspring."
The entry emphasizes that only hashes were published - without any user information.
Responding to questions from TechGeek, a Formspring spokesman said they learned that 420,000 password hashes were published. Verification showed that all of them were in the service databases. The company has confirmed that it intends to upgrade its BCrypt support systems.
When asked how the attackers gained access to the data on the server, the company representative stated in an e-mail: “We discovered that someone outsider entered one of our servers and was able to extract account information from the database ".
“We were able to fix the gap right away. The company is reviewing its internal security policy and methods for its implementation to ensure that this never happens again. ”
KollinZ added screenshots from the FSpring admin panel.