Formspring and Yahoo Voices services compromised

Martin Brinkmann
Jul 12, 2012
Updated • Nov 18, 2012
Security, Yahoo

The last 24 hours have been filled with news of two compromised services. First victim of a successful attack was the social question and answer site Formspring. After being notified that a set of 420k password hashes that had been posted  to a security forum could be from Formspring, the site operators quickly confirmed the suspicion and locked down their systems to begin an investigation of the issue.

What they discovered is that the attacker managed to break into a development server to get access to a production database from that access. The security issue was quickly fixed by Formspring, which also improved the hashing mechanism from a sha-256 algorithm with random salts to bcrypt.

Since user passwords - in the form of password hashes - were out in the open, the company decided to reset all passwords on the site. All Formspring users will be asked to change their passwords when they try to log back into the site for the first time.


While not actively enforced, security guidelines have been posted on the blog to help users pick better more secure passwords. This includes selecting passwords with ten or more characters, and using a mixture of special characters and upper and lowercase letters for the passwords.

But Formspring was not the only service compromised in the past 24 hours. Yahoo Voices, not to be confused with Yahoo Voice, Yahoo's voice over IP service, has been compromised by a simple database attack that leaked more than 450,000 unencrypted passwords, usernames and related information. The list has been put online and already been analyzed by security experts.

The findings are quite interesting if you look at the top 10 passwords and base words used to protect the accounts, as you find the usual weak passwords like "password", "123456", "abc123" or "welcome" in the top 10. Users of Yahoo Voices are asked to change their password as soon as possible to avoid that their accounts are taken over by hackers or other users who managed to get hold of the list of leaked information. What makes this more pressing is the fact that the passwords have been saved in clear text in the database.

Update: According to the BBC, Yahoo is investigating the matter.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. paulo oliveira said on April 26, 2011 at 12:39 am

    great article, Martin. If possible, publish more tutorials on Yahoo Pipes, please!

  2. SFdude said on April 27, 2011 at 2:14 am

    This was good, short & clear example!

    Write another similar article,
    with an example of “Fech Data”, in Yahoo Pipes…


  3. Jelbee said on June 25, 2011 at 6:03 am

    my site have two rss: one for the articles and video. Thanks for sharing this it saves me from trouble.

  4. rstarter said on September 20, 2011 at 8:18 am

    Hi Martin,
    Is it possible to make the pubDate to be visible just under the feed headline?


    1. Martin Brinkmann said on September 20, 2011 at 9:11 am

      Good question, I cannot really answer that unfortunately. Has been a long time since I last played around with Yahoo Pipes.

  5. Jonathan said on September 25, 2011 at 4:43 pm

    Very useful! Thanks

    Unfortunately I want to combine 70 RSS feeds (student blogs I want to see in one go – ) but Pipes seems to limit me to 10 at a time.
    I thought about creating a feed of ten, a feed of another ten, and then combining those… but it doesn’t work.
    Any thoughts on how to go beyond the ten feed limit?

  6. rascasse83 said on December 17, 2011 at 4:33 pm

    To have more than 10 use multiple Fetch Feeds and connect them to a UNION Operator.

    1. will said on August 15, 2013 at 6:20 am

      Thanks for your help!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.