Formspring hacked, all passwords reset

Social network Formspring reset passwords for all of its 28 million members Wednesday after hackers posted password information to about 420,000 accounts online.

The security breach came a month after a similar breach affecting the passwords of 6.5 million members of professional social network LinkedIn.

In a blog post, Formspring founder Ade Olonoh said the San Francisco company was notified that about 420,000 password hashes were posted to an online security forum, although they did not include user names or other member-identifying information.

"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach," Olonoh wrote. "We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database."

Formspring plugged the hole and upgraded its encryption systems, but also decided to disable all passwords to "play it safe," he said. Members who signed on through Facebook could still do so, but the company also advised all users to change their passwords once they logged back on.

The 2-year-old company last month shifted from its social question-and-answer roots to emphasizing conversations based on interests, according to TechCrunch.

"To their credit, Formspring appears to have dealt with the security breach quickly and fairly transparently," said Graham Cluley, senior technology consultant at computer security firm Sophos.

"There are undoubtedly lessons to be learned from the hack - and users would be wise to ensure that they take heed of the advice to use unique, hard-to-guess passwords on different websites - but I'm much more impressed with how Formspring has handled this incident than, say, LinkedIn," Cluley said on his company's blog, Naked Security.