Formspring Hacked - 420,000 Password Hashes Leaked

← Back to Stories (view on slashdot.org)

Formspring Hacked - 420,000 Password Hashes Leaked

Posted by Unknown on Wednesday July 11, 2012 @02:13AM from the sky-is-falling dept.

wiredmikey writes with news of yet another business suffering a data breach. From the article: "Formspring, the Social Q&A portal ..., admitted to being breached on Tuesday. The compromise led to the loss of 420,000 passwords, forcing the site to reset all member passwords. Mirroring the recent LinkedIn breach, Formspring said that it was alerted to a forum post that contained 420,000 password hashes. Engineers shutdown the service and confirmed the passwords were indeed theirs. In less than a day, an investigation revealed that the attacker(s) had 'broken into one of our development servers and was able to use that access to extract account information from a production database' .... There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident."

18 of 68 comments (clear)

Min score:

Reason:

Sort:

420,000? by Anonymous Coward · 2012-07-11 02:17 · Score: 5, Funny

420,000? Is that like 100,000 people smokin' the reefer?
1. Re:420,000? by vlm · 2012-07-11 02:31 · Score: 2
  
  420,000? Is that like 100,000 people smokin' the reefer?
  More like 420,000 people use(d) something I've never heard of?
  I wonder if unknown websites would make up some imaginary accounts and intentionally release them to create buzz?
  Its not like there's any penalty for public release of information, and all PR is good PR anyway, so..
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
2. Re:420,000? by Fnord666 · 2012-07-11 03:11 · Score: 3, Funny
  
  More like 420,000 people use(d) something I've never heard of?
  Exactly. One of the articles even concludes with
  
  Interestingly, while it gained popularity early on, most users who were reporting that they had received a password reset notice had forgotten they even registered with the service.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Network Isolation by Archangel+Michael · 2012-07-11 02:17 · Score: 5, Insightful

When are people going to get a clue and do proper network isolation of servers ... especially Database servers. There should be no way to attach to a database from outside network. Production and testing servers should all be on sandboxed networks that don't touch the outside.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
1. Re:Network Isolation by vlm · 2012-07-11 02:52 · Score: 5, Interesting
  
  I'm old enough to have had that very argument during the original SQL slammer infestation and the replies were along these lines:
  1) Who cares, security costs money but insecurity is free, or free PR advertising anyway.
  2) Thats just one bug, one time, I'm sure its completely secure now
  3) Webservers were not originally built to be secure, but they pitifully bolted some security on and no one blinks at putting them bare on the net, so why worry about putting something originally designed to be secure on the net?
  4) False sense of security means behind the firewall we'll get owned 10 times more often than if we stay paranoid and keep it on the public "dmz". The eternal crunchy outside and soft chewy inside argument. Who knows more about making a DB secure, a DBA or a firewall dweeb? So lets place it on the net and trust the DBA.
  5) 99.9999% of databases getting powned are due to no input sanitizing and buffer overruns and other epic programming fails by those idiot web guys, so we may as well place the mysql server open on the net anyway since the web guys leave the barn door wide open almost all the time anyway.
  6) Our hard coded back door password in the webserver executable closed source app is "password" so I think having the server outside is the least of our concerns. (prioritization)
  Anybody ever hear anything else thats relevant?
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
2. Re:Network Isolation by sl4shd0rk · 2012-07-11 03:22 · Score: 3, Insightful
  
  When are people going to get a clue and do proper network isolation of servers
  You apparently read alot about security but haven't done much enterprise administration.
  Database servers behind a second DMZ with reverse proxying always look great on paper, and start life out that way but what always happens is there is some "corner case" piece of software which doesn't work with your setup and you need to make an exception. Next, the developer group will explain they've wrote their applications to use "realtime" data and the subset of data you've copied out to the DMZ DB is 6 hours too old. You go to the DB Admin and ask him what it would take to increase the frequency of the Oracle dump and he explains it already takes 6 hours to complete and the dump locks tables so you have to do it at night when Sales and Marketing are not using it. You find out the backups are running after the dump process and the network is quite saturated as it pulls 1500G over the wire to the archive SAN. As a result it takes you another 2 hours to get the subset of data moved out to the DMZ. This whole process takes about 12 hours to run and since you are on the West coast you can't tie up the network or the DB for an additional 2 hours or the Midwest offices can't begin work at 8am. Eventually the boss screams he wants it fixed whatever the cost so someone dual-homes the DMZ database so things can get sucked off the back-end on a separate wire. Sunddenly, developers start using the second nic to connect directly to the DMZ DB but you find out all the added traffic on the second gig nic tops out the old Sun box taking all it's spare CPU cycles with it. The nail in the coffin finally comes in when the AD server in the DMZ is found to have been compromised for over 6 months and has been siphoning data off the Oracle connector to some place in China.
  This is why compromises happen and why we can't have nice things like secure database setups.
  
  --
  Join the Slashcott! Feb 10 thru Feb 17!
3. Re:Network Isolation by Charliemopps · 2012-07-11 03:27 · Score: 3, Insightful
  
  And if the production and database servers are "in the cloud"? Kind of hard to isolate them then, aint it?
  
  I've run into this before. We've got a DB that's hosted in a "cloud service" then we have idiot supervisors/management that want to do training... so they set all their training accounts to
  Username "training1"
  Password "training1"
  
  We find out, force them to change it. Next thing we know, they're trying to sick VPs on us... "Why are you making it hard for my department to train?!?! It's only a test server!"
  Explaining that it's a duplicate of production doesn't seem to phase them... It's kind of irrelevant which database the hackers get into when they are identical to each other. Calling one "test" is kind of irrelevant from a security standpoint.
Yet another reason to use a variety of passwords by txoof · 2012-07-11 02:21 · Score: 4, Insightful

And once again we are reminded that using the same password on every site is a terrible idea for just this reason. I know I'm guilty of recycling a generic password on sites I don't care about, but I fear that my family members are even worse. I'd say there's an 80% chance that my family recycles the same password on both social and banking sites.
It doesn't help that many password validation routines choke on spaces. Being able to use a passphrase is way easier than trying to remember some random group of characters that just happen to have a high entropy. The Correct Horse Battery Staple model is my new favorite for any site that will accept spaces. Sadly, one bank that I have done business with won't even allow a password that is more than 8 characters and only accepts letters and numbers. They try to shore this up with some bogus security questions on the following page, but I don't feel really "secure."
What other password strategies do you all use to make sure you keep reasonably secure? I eventually gave in to using KeePass to keep my less frequently but more important passwords secure.

--
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
Re:Yet another reason to use a variety of password by Theophany · 2012-07-11 02:24 · Score: 3, Informative

Whilst I agree with all of the above, I think the *real* takeaway from this should be "don't use shitty websites like Formspring, for fuck's sake."
Re:Yet another reason to use a variety of password by firex726 · 2012-07-11 02:25 · Score: 2

Personally I much prefer serves like pwdhash.
Remember one base password across all sites and it'll convert it into a hash for you, so even if you have a key-logger installed it'll only record the base, and not the hashed one.
I think I figured it out. by InvisibleClergy · 2012-07-11 02:31 · Score: 5, Funny

I know it's a Q&A site, but ForumSpring Engineers really shouldn't have answered the question, "How do I hack the ForumSpring servers?"
1. Re:I think I figured it out. by Rogerborg · 2012-07-11 02:47 · Score: 2
  
  ForumSpring Engineers really shouldn't have answered the question, "How do I hack the ForumSpring servers?"
  Heh, I refer you to A Logic Named Joe. It predicted the personal computer, the internet, search engines, and the real uses which most people would find for them. In 1946. Nineteen. Forty. Six.
  
  --
  If you were blocking sigs, you wouldn't have to read this.
Re:Yet another reason to use a variety of password by kav2k · 2012-07-11 02:33 · Score: 4, Informative

So, if I understand the idea correctly, once the keylogger has the base password, all derived passwords are screwed? It protects against hash/unencrypted password leaks, but makes the base password too valuable.
Re:Yet another reason to use a variety of password by Calos · 2012-07-11 02:39 · Score: 3, Informative

Yep, I love pwdhash. It's portable without worrying about leaving a password database on a thumbdrive or in the cloud, it can generate long, site-unique passwords while using the same base password. Pwdhash is pretty nice in that it is sensitive to stupid websites that don't allow special characters, too - if you put a special in the password you supply, it very likely (but not necessarily) include one in the password it generates. If you don't put specials in the user-supplied portion, the output is just alphanumeric. Of course, there are still the stupid websites that want passwords to be 12 characters or less, and/or have to start with a letter, and/or other asinine rules. A downside though is that there is a maximum length for the passwords pwdhash generates, 22 chars if I remember correctly, but at this point, I don't think that's really an issue.
Still don't recommend actually using the same base password for everything, of course.
The other cool thing about pwdhash (and potentially, similar services too) is that they don't have to be used on websites. You can use it to generate passwords for, say, your wireless. Do something like the SSID in place of the website, then supply your part of the password.
Pwdhash

--
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
Re:Yet another reason to use a variety of password by vlm · 2012-07-11 02:41 · Score: 4, Interesting

I know I'm guilty of recycling a generic password on sites I don't care about, but I fear that my family members are even worse. I'd say there's an 80% chance that my family recycles the same password on both social and banking sites
I have one password for each class of security. Ultra critical life savings depends on it has one which is only used on two sites anyway. Then there's /. and sites like it which has another "I can't lose money, but I'd be pissed if someone stole my account" password. Finally "I can't believe these morons force me to create an account for their cruddy site F those idiots the password for moron sites is password123"
I believe that websites that demand account creation when there is no need to create an account, like to order stuff, or view pages, are a social disease that should be stamped out. Aggressively if necessary. Not because one POS automotive parts site demanding I "create an account" just to make a single item purchase one time in my life is inherently evil, but because making a billion people make hundreds of accounts each, many of which will be stolen IS evil. This is no different than the argument where "if I occasionally accidentally dump out a little used motor oil its no big deal, but if the whole planet dumped all their used oil, it would be a freaking disaster"

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Re:Yet another reason to use a variety of password by tapspace · 2012-07-11 02:49 · Score: 2

All of my banking passwords are the weakest ones. Most of the banking sites will not allow a full alphabet of special characters (American Express only has something like 6 different special characters you can use). I'm like WTF, is this a banking site or not?
The immediate question: by skorange · 2012-07-11 03:23 · Score: 2

Were the hashes created with salt, randomized per user? It sounds like they were, which of course is in contrast to the LinkedIn breach.
1. Re:The immediate question: by Gavin+Scott · 2012-07-11 03:59 · Score: 4, Informative
  
  The linked SecurityWeek articles includes the quote:
  “We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security."
  Which suggests that they were indeed salting the passwords. Assuming this was actually done, and done in a reasonable manner, then in theory there should actually be little or no risk from this breach I would think. But then I don't know why they would feel the need to immediately replace their hashing mechanism...
  G.