Phuket Gazette: Hackers release more than 420,000 passwords

– World news selected by Gazette editors for Phuket’s international community

PHUKET: The questions and answers website Formspring yesterday disabled the passwords of its more than 29 million registered users as a precaution after nearly half a million of them were posted on a website, the company’s founder said.

The website, where users can ask each other questions or be asked questions by anonymous people, said it was alerted by someone that 420,000 passwords had been posted to a security forum. The leaked passwords were camouflaged with a common cryptographic code called SHA-256 hash, a version of the SHA-2 hash function which is known to have security issues.

“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach,” Formspring founder and CEO Ade Olonoh said in a blog post. “We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.”

The file released on the security forum did not contain usernames or other identifying information, but the company did not say whether the hackers may have been able to access them. It said it immediately ‘fixed the hole’ and upgraded the hashing mechanisms for its password database to bcrypt, which is considered more secure.

“In response to this, we have disabled all users passwords,” Olonoh said. “We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords. Users will be prompted to change their passwords when they log back into Formspring.”

Formspring spokeswoman Dorothée Fisher says it currently has more than 29 million registered users.

— Phuket Gazette Editors