Formspring 420,000 lost passwords were encrypted, salted

By

Moves quickly to disable passwords.

The social networking Q&A site Formspring has been hacked and had 420,000 password hashes stolen and published online.

Formspring 420,000 lost passwords were encrypted, salted

The company disabled all user passwords following a tip off from a user who spotted the hashes on a forum early Monday morning.

An unknown attacker breached one of Formspring's development servers and managed to access account data stored in a production database, Formspring chief executive Ade Olonoh said in a blog post.

Usernames and other personal data were not posted along with the SHA-256 salted password hashes, according to Formspring.

"We apologise for the inconvenience, but prefer to play it safe and have asked all members to reset their passwords," Olonoh wrote.

Users will be prompted to change their passwords when they log back into Formspring.

Formspring has fixed the hole and upgraded its hashing mechanisms to bcrypt, a cryptographic hash function that is stronger because it is slow to compute. It was designed to become even slower to create lookup tables as processors became faster.

The incident is reminiscent of a breach announced last month by LinkedIn. Like Formspring, LinkedIn first learned of the compromise when a file containing hashes of member passwords appeared on a hacking forum.

However, LinkedIn had only hashed the passwords without using a salt.Hashing is a one-way encryption, where each string always returns the same cryptographic output.

It's not possible to take a hash and work out what the original input was, but lookup tables help figure out what the hashed value is.

Attackers create a rainbow table, which is essentially an immense directory of every conceivable string, including dictionary words, common surnames, well-known phrases, and just look up each hash to find the original input.

Formspring, however, had randomly salted these passwords before hashing them.

A salt is a random string unique to each user that is appended to the password, making the lookup process even more difficult and processor-intensive.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
cryptographydata breachhackingpasswordssecurity

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?