Kahla Preston reports:
Users of Formspring, a social question and answer website popular among young teenagers, today learned their passwords were disabled by site administrators following a security breach.
Read more on The Age.
In a message on their blog yesterday, Formspring writes:
Urgent: Change Your Formspring Password
We learned this morning that we had a security breach where some user passwords may have been accessed. In response to this, we have disabled all users passwords. We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords. Users will be prompted to change their passwords when they log back into Formspring. This is a good time to create a strong password.
[…]
Five hours ago, there was an update:
UPDATE: SECURITY BREACH RESOLVED
We wanted to give an update that the security breach was resolved today and provide background on what happened.
We were notified that approximately 420k password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords. The post did not contain usernames or any other identifying information.
Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.
We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again.
[…]