Formspring was notified that 420,000 password hashes, but not user names or other identifying information, were posted to an online security forum, Ade Olonoh, the company’s founder, said in a blog.
“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database”, he wrote.
The company fixed the hole and upgraded its hashing mechanism from sha-256 with random salts to bcrypt.
“We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again”, Olonoh said.
Formspring offered the following guidelines for resetting user passwords: craft a long and complex password that uses 10 or more characters, lower and uppercase letters, and special characters; do not use the same password on other sites and do not share the password with anyone or write it down; and change the password every few months.