On July 10, 2012, Formspring founder Ade Olonoh published a post on the social network’s blog alerting customers to a breach in the company’s system and that some users’ passwords may have been accessed. Approximately 420,000 “password hashes” were posted to a security forum, though without usernames or any other information that would indicate who owned what password.
Formspring acted quickly and disabled all passwords and then sent its users the following notice:
Dear Formspring user,
For security reasons, we have disabled your password and ask that you reset it. When you log back into Formspring, you will be prompted to change your password.
Thank you for taking the time to reset your password.
The Formspring Team
The blog post also gave readers some advice about how to make their accounts more secure, such choosing long, complicated passwords, using a different password for each website, changing passwords often, and not sharing or writing passwords down. The post advised users to keep personal information like their email addresses, home addresses and telephone numbers off of their Formspring profiles and to remember to log out of their Formspring accounts when using shared computers.
An update to the blog reads: “We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again.”
Formspring seems to have survived this disaster with minimal damage. Hackers get smarter and more sophisticated every day, and no system is 100% secure. How well would your business fare after a data breach resulted in your clients’ information being published on the Internet? Don’t wait to find out.