Formspring has “withdrawn” 420 thousand user passwords

This morning I found a letter in my mailbox:

Dear Formspring user,
')
For your security reasons, you can reset it. When you log back into Formspring, you will be prompted to change your password.

Reset your password.

The formspring team

As it turned out, this is not just "security reasons". Following LinkedIn and last.fm, nearly half a million passwords were leaked from the form sprint.



“We revealed security breaches this morning, as a result of which some user passwords might have become accessible to attackers,” wrote Formspring CEO Ade Olonoh on his blog . “In response, we turned off all user passwords. We apologize for the inconvenience, but we prefer not to risk it and therefore asked all subscribers to reset their passwords. Users will be prompted to change their passwords when re-entering the Formspring. ”
The record emphasizes that only hashes were published - without any information about users.

Answering questions from TechGeek, a Formspring spokesman said they learned that 420,000 password hashes were published. The audit showed that they were all in the service databases. The company has confirmed that it intends to upgrade its support systems for BCrypt.

When asked how the attackers gained access to the data stored on the server, a company spokesman said in an email: ".

“We were able to immediately fix the gap. The company is reviewing its internal security policy and implementation methods to ensure that this will never happen again. ”

KollinZ added screenshots from the FSpring admin panel.