In association with heise online

11 July 2012, 15:40

Formspring question-and-answer platform compromised

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Formspring logo

More than 400,000 passwords for Formspring accounts have fallen into the wrong hands. The incident brings back memories of the password leaks at popular sites such as LinkedIn, and eHarmony about a month ago; these resulted in several million password hashes for the question-and-answer platform finding their way onto the net.

The H's associates at heise Security had discovered the Formspring hashes at the end of last week but couldn't determine at the time the origin of the data. A short time later, a reader contacted The H with the crucial piece of information that hundreds of passwords contained the term formspring.

After being informed of this discovery, the operators of the platform soon managed to trace the leak to one of their development servers which had allowed an attacker to access a production server and said that they successfully closed it. Formspring has also reset all user passwords. The company has taken this opportunity to switch its hashing method from SHA-256 (salted) to bcrypt, a method that can currently only be cracked with substantial computing power and, therefore, an attack would take a significant amount of time.

About half of the 400,000 hashes have already been reconstructed by password crackers. It is likely that the actual leak is much bigger and that the owners of the full list only released the hashes that they were unable to crack themselves.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit