Formspring hacked, 28 million users told to change their passwords

Username password

Formspring is the latest in the seemingly unending list of websites to have suffered a security breach – with the password hashes of at least 420,000 users compromised and posted to the internet.

A blog entry posted by Formspring’s CEO and founder Ade Olonoh explains that the passwords of all 28 million users have been disabled (after all, only 420,000 have been posted on the net – but who knows how many the hackers may have accessed?).

Formspring blog

According to the firm, usernames and other identifying information were not published alongside the stolen password hashes. Furthermore, in a positive sign, users were told that the SHA-256 hashed passwords were salted – and that Formspring is now tightening security further by introducing stronger bcrypt cryptographic hashes.

Sign up to our free newsletter.
Security news, advice, and tips.

Formspring also says that it has identified the security hole that allowed a hacker to breach its systems:

“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.”

To their credit, Formspring appears to have dealt with the security breach quickly and fairly transparently.

There are undoubtedly lessons to be learnt from the hack – and users would be wise to ensure that they take heed of the advice to use unique, hard-to-guess passwords on different websites – but I’m much more impressed with how Formspring has handled this incident than, say, LinkedIn.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.