The owners of Formsping – the website where users can “share their perspective on anything” – reset the passwords of all their customers after identifying a data breach that affected one of their servers.
As it turns out, the hackers posted around 420,000 password hashes on a forum. Similar to the LinkedIn incident, usernames or other identifying information were not published.
Most likely, the cybercriminals were seeking help in decrypting the hashes, especially since they were SHA-256 with random salts.
“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach,” Ade Olonoh, founder and CEO of Formspring wrote in a blog post.
“We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.”
The security hole that allowed the attackers to gain access to their server has been patched up. Similar to other websites that experienced such data breaches, Formspring has upgraded its password hashing mechanism to bcrypt.
In the meantime, users are recommended to check their email inboxes for the password reset notifications. Those who need advice on how to create strong passwords and how to protect them can check out acomprehensive advisory we published recently.
Customers who don’t have access to the emails they utilized to register the Formspring account can contact the website’s support team.
Also, this incident might be seen as a good opportunity for cybercriminals to launch a phishing campaign that targets the affected individuals.
In case you receive suspiciously looking emails, make sure that the links they contain point to formspring.me and not some other domain. Take note that the formspringme.zendesk.com URLs are legitimate.