Formspring servers breached and 420,000 encrypted passwords stolen

/ 4 years ago

Formspring are the latest site to succumb to hackers as their servers were recently compromised and 420,000 encrypted passwords were stolen. An unknown intruder gained access to the company’s development servers from which they managed to lift account information off a production database, including 420,000 password hashes. Once Formspring realised the break down of security they took immediate action, which should reassure most users. Formspring disabled all user passwords, forcing members to go through a reset process. Although the passwords were encrypted and no accounts have been reported as compromised, the company said it’s better safe than sorry – a sentiment we definitely agree with.

Formspring have issued a selection of tips to make sure you are never vulnerable to the effects of having a password stolen spreading to other sites or services you use.

  • Don’t use the same passwords on other sites you visit
  • Don’t share your password with anyone or write it down
  • Change your passwords every few months.
  • You can change your password from the Formspring Account Settings page
  • Don’t put your email address, address or phone number in your Formspring profile
  • Log out of your account after you use a shared computer
  • Keep your anti-virus software up to date
  • Report any privacy issues to Customer Support

All members should recieve an email requesting a password reset to use the service. Thankfully if you logged into the service via Facebook then you’re safe, as the Facebook Formspring login works as an App through Facebook not through the Formspring database itself. Within a day, the company located and patched the hole in its system, in addition to upgrading its hashing mechanisms from sha-256 with random salts to bcrypt.