On Wednesday Formspring was notified that about 400,000 password hashes of users were posted online. This was only password hashes and didn’t contain usernames or any other information. “Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach.” said CEO Ade Olonoh “We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.”
Formspring was founded in November 2009 it was a social question and answer site. Users would ask other users questions which could then be answered and displayed publicly. Back in June they relaunched the site and shifted away from social Q&A to something more focused on conversation. Ask a question and get tons of responses, kind of like Quora. They have 28 million accounts that were all locked down during this ordeal.
Formspring was quickly able to resolve the issue by fixing the security hole and upgrading their hashing mechanisms from sha-256 with random salts to bcrypt, whatever that means, amirite? Don’t worry though because takes “this matter very seriously” and continues to review internal security policies and practices to make sure it doesn’t happen again. I love when companies take matters *quote* very seriously *quote*.
You shouldn’t be using the same password for the multiple services and especially not the same password as any password used for sensitive sites like online banking. Change your passwords if you do and you should also be changing password often just in case.