Formspring Hacked - 420,000 Password Hashes Leaked

wiredmikey writes with news of yet another business suffering a data breach. From the article: "Formspring, the Social Q&A portal ..., admitted to being breached on Tuesday. The compromise led to the loss of 420,000 passwords, forcing the site to reset all member passwords. Mirroring the recent LinkedIn breach, Formspring said that it was alerted to a forum post that contained 420,000 password hashes. Engineers shutdown the service and confirmed the passwords were indeed theirs. In less than a day, an investigation revealed that the attacker(s) had 'broken into one of our development servers and was able to use that access to extract account information from a production database' .... There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident."

Re:Yet another reason to use a variety of password

[vlm]

I know I'm guilty of recycling a generic password on sites I don't care about, but I fear that my family members are even worse. I'd say there's an 80% chance that my family recycles the same password on both social and banking sites

I have one password for each class of security. Ultra critical life savings depends on it has one which is only used on two sites anyway. Then there's /. and sites like it which has another "I can't lose money, but I'd be pissed if someone stole my account" password. Finally "I can't believe these morons force me to create an account for their cruddy site F those idiots the password for moron sites is password123"

I believe that websites that demand account creation when there is no need to create an account, like to order stuff, or view pages, are a social disease that should be stamped out. Aggressively if necessary. Not because one POS automotive parts site demanding I "create an account" just to make a single item purchase one time in my life is inherently evil, but because making a billion people make hundreds of accounts each, many of which will be stolen IS evil. This is no different than the argument where "if I occasionally accidentally dump out a little used motor oil its no big deal, but if the whole planet dumped all their used oil, it would be a freaking disaster"

Re:Network Isolation

[vlm]

I'm old enough to have had that very argument during the original SQL slammer infestation and the replies were along these lines:
1) Who cares, security costs money but insecurity is free, or free PR advertising anyway.
2) Thats just one bug, one time, I'm sure its completely secure now
3) Webservers were not originally built to be secure, but they pitifully bolted some security on and no one blinks at putting them bare on the net, so why worry about putting something originally designed to be secure on the net?
4) False sense of security means behind the firewall we'll get owned 10 times more often than if we stay paranoid and keep it on the public "dmz". The eternal crunchy outside and soft chewy inside argument. Who knows more about making a DB secure, a DBA or a firewall dweeb? So lets place it on the net and trust the DBA.
5) 99.9999% of databases getting powned are due to no input sanitizing and buffer overruns and other epic programming fails by those idiot web guys, so we may as well place the mysql server open on the net anyway since the web guys leave the barn door wide open almost all the time anyway.
6) Our hard coded back door password in the webserver executable closed source app is "password" so I think having the server outside is the least of our concerns. (prioritization)

Anybody ever hear anything else thats relevant?

Re:Network Isolation

[History's+Coming+To]

The doctor analogy is an interesting one - a doctor won't go through a full surgical scrub and use a sterile theatre for giving an innoculation because the risks of introducing a little bacteria into the skin aren't huge, a sterile needle and an alcohol wipe-down are sufficient. In the same way, if you have properly salted hashes using a strong algorithm, and you're not storing personally identifying information (names, CC details etc) then your DB doesn't have to be massively secure. Start storing card details or the like, and yes it does. It's all about going to the right level of effort - I store IP/DOB/TIMESTAMP data for a alcohol related site to prove due diligence, there's nothing particularly sensitive so I don't use lots of encryption and so on. If it gets leaked then the attackers don't get any particularly useful info. When people register an account, however, we store names, email addresses and DOBs together, so that DB has significantly more protection.