Formspring Hacked - 420,000 Password Hashes Leaked

Posted by Unknown on Wednesday July 11, 2012 @02:13AM from the sky-is-falling dept.

wiredmikey writes with news of yet another business suffering a data breach. From the article: "Formspring, the Social Q&A portal ..., admitted to being breached on Tuesday. The compromise led to the loss of 420,000 passwords, forcing the site to reset all member passwords. Mirroring the recent LinkedIn breach, Formspring said that it was alerted to a forum post that contained 420,000 password hashes. Engineers shutdown the service and confirmed the passwords were indeed theirs. In less than a day, an investigation revealed that the attacker(s) had 'broken into one of our development servers and was able to use that access to extract account information from a production database' .... There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident."

2 of 68 comments (clear)

Min score:

Reason:

Sort:

Re:Yet another reason to use a variety of password by kav2k · 2012-07-11 02:33 · Score: 4, Informative

So, if I understand the idea correctly, once the keylogger has the base password, all derived passwords are screwed? It protects against hash/unencrypted password leaks, but makes the base password too valuable.
Re:The immediate question: by Gavin+Scott · 2012-07-11 03:59 · Score: 4, Informative

The linked SecurityWeek articles includes the quote:
“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security."
Which suggests that they were indeed salting the passwords. Assuming this was actually done, and done in a reasonable manner, then in theory there should actually be little or no risk from this breach I would think. But then I don't know why they would feel the need to immediately replace their hashing mechanism...
G.