Formspring has joined the likes of LinkedIn, Last.fm, eHarmony and other sites breached recently, revealing yesterday that passwords were swiped from its servers. Following an investigation, the social service determined that an unknown intruder gained access to the company's development servers, from which they managed to lift account information off a production database, including 420,000 password hashes.
After learning about the break in, Formspring disabled all user passwords, forcing members to go through a reset process. Although the passwords were encrypted and no accounts have been reported as compromised, the company said it's better safe than sorry.
As is customary, Formspring offered various tips on creating a strong password and keeping your account secure, such as using 10 or more characters including things like punctuation, mixing lower and uppercase letters, and avoiding known words. Other suggestions:
- Don't use the same passwords on other sites you visit
- Don't share your password with anyone or write it down
- Change your passwords every few months.
- You can change your password from the Formspring Account Settings page
- Don't put your email address, address or phone number in your Formspring profile
- Log out of your account after you use a shared computer
- Keep your anti-virus software up to date
- Report any privacy issues to Customer Support
All members should have received an email requesting a password reset, though folks who login with Facebook are unaffected unless they previously set a Formspring password. Within a day, the company located and patched the hole in its system, in addition to upgrading its hashing mechanisms from sha-256 with random salts to bcrypt.