Formspring question-and-answer platform compromised
More than 400,000 passwords for Formspring accounts have fallen into the wrong hands. The incident brings back memories of the password leaks at popular sites such as LinkedIn, Last.fm and eHarmony about a month ago; these resulted in several million password hashes for the question-and-answer platform finding their way onto the net.
The H's associates at heise Security had discovered the Formspring hashes at the end of last week but couldn't determine at the time the origin of the data. A short time later, a reader contacted The H with the crucial piece of information that hundreds of passwords contained the term
After being informed of this discovery, the operators of the platform soon managed to trace the leak to one of their development servers which had allowed an attacker to access a production server and said that they successfully closed it. Formspring has also reset all user passwords. The company has taken this opportunity to switch its hashing method from SHA-256 (salted) to bcrypt, a method that can currently only be cracked with substantial computing power and, therefore, an attack would take a significant amount of time.
About half of the 400,000 hashes have already been reconstructed by password crackers. It is likely that the actual leak is much bigger and that the owners of the full list only released the hashes that they were unable to crack themselves.