Formspring disables user passwords in security breach

The question-and-answer site informs users that some of their passwords may have been breached in a security intrusion.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Formspring has suffered a security intrusion in which some of its user passwords may have been breached, the question-and-answer site warned today.

Formspring, which said it only learned of the network intrusion this morning, responded by disabling all users' passwords.

"We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords," Formspring founder and CEO Ade Olonoh said in a company blog post. "Users will be prompted to change their passwords when they log back into Formspring. "

A Formspring spokesperson told CNET that the company was tipped off to breach by someone who spotted about 420,000 hashed passwords posted to a security forum that appeared to come from Formspring.

"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach," Dorothee Fisher said. "We found that someone had accessed into one of our development servers and was able to extract account information from a production database. We were able to immediately fix the hole and are reviewing our internal security policies and practices to help ensure that this never happens again."

The San Francisco-based startup, which launched its site in 2009, announced earlier this year that it had nearly 28 million users.

In the blog's comments section, many dissatisfied users expressed a desire to have their accounts deleted, but a company representative assured them that their passwords had all been "salted," a cryptography technique that makes it harder to uncover the actual password.

The blog went on to give users a tutorial in creating strong passwords -- a helpful reminder in the wake of more high-profile password thefts at LinkedIn, eHarmony, and Last.fm. Their users passwords were among approximately 8 million posted in two separate lists to hacker sites in early June. It appears that while they were hashed, they were not salted.