Social site Formspring hacked, passwords disabled

(AP) — Social networking site Formspring said Tuesday that it was disabling nearly 30 million registered users' passwords after hundreds of thousands of them were leaked to the Web in their encrypted form.

Formspring said in a blog post that the breach happened after someone hacked into one of the San Francisco-based company's servers.

Spokeswoman Dorothee Fisher said Wednesday the company was alerted Monday that some 420,000 encrypted passwords had showed up on a security forum whose identity she refused to disclose because she did not want to draw attention to it.

Encrypted passwords aren't immediately useable, although they can sometimes be decoded by a savvy attacker.

Fisher said there was no evidence that any accounts had been tampered with.

Formspring founder Ade Olonoh said in a blog post that his company had fixed the vulnerability and upgraded its encryption, adding that the company wanted to "play it safe" and had asked all users to reset their passwords.

"We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again," he said.

Formspring launched in 2009 as a crowd-powered question-and-answer site. Last month, the company announced a major revamp intended to shift the site's focus toward users' interests.


Explore further

Some LinkedIn, eHarmony passwords leaked online (Update 3)

Copyright 2012 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Citation: Social site Formspring hacked, passwords disabled (2012, July 11) retrieved 22 August 2019 from https://phys.org/news/2012-07-social-site-formspring-hacked-passwords.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
0 shares

Feedback to editors

User comments

Jul 11, 2012
I suspect the "encryption" was hashing and the "upgrade" was MD5 to SHA2. And they don't salt their hashes.

Maybe people should start suing web sites that do this.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more