Formspring and Yahoo Voices services compromised
The last 24 hours have been filled with news of two compromised services. First victim of a successful attack was the social question and answer site Formspring. After being notified that a set of 420k password hashes that had been postedÂ to a security forum could be from Formspring, the site operators quickly confirmed the suspicion and locked down their systems to begin an investigation of the issue.
What they discovered is that the attacker managed to break into a development server to get access to a production database from that access. The security issue was quickly fixed by Formspring, which also improved the hashing mechanism from a sha-256 algorithm with random salts to bcrypt.
Since user passwords - in the form of password hashes - were out in the open, the company decided to reset all passwords on the site. All Formspring users will be asked to change their passwords when they try to log back into the site for the first time.
While not actively enforced, security guidelines have been posted on the blog to help users pick better more secure passwords. This includes selecting passwords with ten or more characters, and using a mixture of special characters and upper and lowercase letters for the passwords.
But Formspring was not the only service compromised in the past 24 hours. Yahoo Voices, not to be confused with Yahoo Voice, Yahoo's voice over IP service, has been compromised by a simple database attack that leaked more than 450,000 unencrypted passwords, usernames and related information. The list has been put online and already been analyzed by security experts.
The findings are quite interesting if you look at the top 10 passwords and base words used to protect the accounts, as you find the usual weak passwords like "password", "123456", "abc123" or "welcome" in the top 10. Users of Yahoo Voices are asked to change their password as soon as possible to avoid that their accounts are taken over by hackers or other users who managed to get hold of the list of leaked information. What makes this more pressing is the fact that the passwords have been saved in clear text in the database.
Update: According to the BBC, Yahoo is investigating the matter.Advertisement