Formspring, a social Q&A website popular with teenagers,this week disabled its users' passwords after discovering a security breach. Formspring founder and CEO Ade Olonoh apologized to users for the inconvenience, and advised them to change their passwords when they log back into Formspring.
A blog entry posted by Formspring's CEO and founder Ade Olonoh explains that the passwords of all 28 million users have been disabled and the company was notified that 420,000 password hashes that seem to belong to its users have been posted to a security forum, and immediately began an internal investigation.
Usernames and other identifying information were not posted with the passwords, but Formspring found that someone had broken into one of its development servers and stolen data from a production database.
Encrypted passwords aren't immediately useable, although they can sometimes be decoded by a savvy attacker.
Formspring launched in 2009 as a crowd-powered question-and-answer site. Last month, the company announced a major revamp intended to shift the site's focus toward users' interests.
The company is now reviewing its security practices to ensure that a repeat of the incident does not occur.The algorithm used to hash passwords at the time of the leak was SHA-256 and the company was vigilant enough to use random salts. After this attack, however, it has updated its security stance to use bcrypt.