Social question and answer website Formspring has been breached, and a dump of 420,000 passwords is spreading around the interwebs. Formspring, which was founded in 2009, has more than 20 million registered users. It recently gained notoriety due to incidents of bullying leading to death of teenagers.
Formspring has confirmed that an unknown attacker managed to break into one of its development server to extract account information from a production database. Fortunately, Formspring had significantly better security practices than most other recently hacked web services. All the passwords were hashed using SHA-256 with salting. Thus, if you have a reasonably secure password, you will most probably be safe. However, users with insecure passwords still stand the risk of being exposed. As a precautionary measure, Formspring is forcing all of its users to change their password. It has also updated its authentication system to use bcrypt hashing function that is practically impossible to brute force.
Formspring needs to be applauded for employing a fairly strong hashing mechanism, and being quick to react. However, the security breach once again reinforces the belief that no web service is truly safe. Hence, it’s always a good idea to have a unique password for every website. If you use your Formspring password on other services also, it is advised that you change your password on those services too. Going forward, you might want to use a password manager like LastPass.