The company disabled all user passwords as soon as it learned of the network intrusion early Monday morning, Ade Olonoh, founder and CEO of Formspring, said in a blog post this week. It learned of the incident after a user alerted company representatives that 420,000 password hashes had been posted to a security forum.
It appears that an unknown attacker was able to breach one of Formspring's development servers and managed to access account data stored in a production database, Olonoh said. Usernames and other personal data were not posted along with the password hashes, according to Formspring.
"We apologize for the inconvenience, but prefer to play it safe and have asked all members to reset their passwords," Olonoh wrote.
Users will be prompted to change their passwords when they log back into Formspring, Olonoh said. He also included suggestions on how to create long and complex passwords, as well as other basic security tips.
Formspring has fixed the hole and upgraded its hashing mechanisms, Olonoh said. The company originally used SHA-256 with random salts to store passwords, but have now switched to bcrypt, a cryptographic hash function. Bcrypt is considered stronger because it is slow to compute, making it even more processor-intensive to create lookup tables, and the function is designed to be able to run even slower over time as processors get faster.
The incident is reminiscent of a breach announced last month by LinkedIn. Like Formspring, LinkedIn first learned of the compromise when a file containing hashes of member passwords appeared on a hacking forum. However, it turned out LinkedIn had only hashed the passwords without using a salt. Hashing is a one-way encryption, where each string always returns the same cryptographic output.
It's not possible to take a hash and work out what the original input was, but lookup tables help figure out what the hashed value is. Attackers create a rainbow table, which is essentially an immense directory of every conceivable string, including dictionary words, common surnames, well-known phrases, and just look up each hash to find the original input.
Formspring, however, had randomly salted these passwords before hashing them. A salt is a random string unique to each user that is appended to the password, making the lookup process even more difficult and processor-intensive.