Formspring and Yahoo Voices services compromised

Martin Brinkmann
Jul 12, 2012
Updated • Nov 18, 2012
Security, Yahoo

The last 24 hours have been filled with news of two compromised services. First victim of a successful attack was the social question and answer site Formspring. After being notified that a set of 420k password hashes that had been posted  to a security forum could be from Formspring, the site operators quickly confirmed the suspicion and locked down their systems to begin an investigation of the issue.

What they discovered is that the attacker managed to break into a development server to get access to a production database from that access. The security issue was quickly fixed by Formspring, which also improved the hashing mechanism from a sha-256 algorithm with random salts to bcrypt.

Since user passwords - in the form of password hashes - were out in the open, the company decided to reset all passwords on the site. All Formspring users will be asked to change their passwords when they try to log back into the site for the first time.


While not actively enforced, security guidelines have been posted on the blog to help users pick better more secure passwords. This includes selecting passwords with ten or more characters, and using a mixture of special characters and upper and lowercase letters for the passwords.

But Formspring was not the only service compromised in the past 24 hours. Yahoo Voices, not to be confused with Yahoo Voice, Yahoo's voice over IP service, has been compromised by a simple database attack that leaked more than 450,000 unencrypted passwords, usernames and related information. The list has been put online and already been analyzed by security experts.

The findings are quite interesting if you look at the top 10 passwords and base words used to protect the accounts, as you find the usual weak passwords like "password", "123456", "abc123" or "welcome" in the top 10. Users of Yahoo Voices are asked to change their password as soon as possible to avoid that their accounts are taken over by hackers or other users who managed to get hold of the list of leaked information. What makes this more pressing is the fact that the passwords have been saved in clear text in the database.

Update: According to the BBC, Yahoo is investigating the matter.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. ilev said on July 13, 2012 at 5:40 pm

    The security firm Rapid7 said a data file published on the Web contained logins and cleartext passwords for Yahoo as well as several other Internet services, including Google Inc’s Gmail and AOL as well as Microsoft Corp’s Hotmail, MSN and Live sites.

    “It’s way bigger than Yahoo,” said Rapid7 researcher Marcus Carey. “We can assume that tens of thousands of people on services outside of Yahoo could be compromised.”…

    Estimated breached accounts according to Rapid7 :

    106,000 Gmail accounts
    55,000 Hotmail
    25,000 AOL

  2. ilev said on July 13, 2012 at 6:35 am

    Nvidia Forums has been hacked.

    Posted July 12, 2012

    NVIDIA suspended operations of the NVIDIA Forums ( last week.

    We did this in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.

    Our investigation has identified that unauthorized third parties gained access to some user information, including:

    email address
    hashed passwords with random salt value
    public-facing “About Me” profile information
    NVIDIA did not store any passwords in clear text. “About Me” optional profiles could include a user’s title, age, birthdate, gender, location, interests, email and website URL – all of which was already publicly accessible.

    NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.

    All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user’s registered email address…..

    1. Martin Brinkmann said on July 13, 2012 at 8:11 am

      Wow, thanks for posting.

  3. berttie said on July 12, 2012 at 11:57 pm

    Very early on, in fact back in the bulletin board days, I concluded that being online was a potential huge privacy risk, so I created a couple of non de plumes. Apart from my ISP, bank and a few businesses, the real me has no online presence. While I’d hate to lose one of my alter egos, better them than my real world reputation.

    1. Wayfarer said on July 13, 2012 at 1:58 am

      Hear hear, berttie – just common (and therefore quite uncommon) sense…

  4. Masoud said on July 12, 2012 at 9:36 pm

    Saving passwords without encryption and in plain-text is Genius!

  5. Wayfarer said on July 12, 2012 at 9:19 pm

    I don’t have accounts with either of the affected services. But I’d emphasise the last point that John makes even further.

    Whatever the service – do NOT provide them with any information you do not think they actually need. I have no conscience whatever about providing spurious information to online services right from the start. This is a lesson I leaned a decade ago on the internet – if the personal info they ask for isn’t pertinent to YOUR use of their service (what they want is irrelevant) then simply don’t give it. If you really believe they need your data ‘to provide an enhanced service’ then you need your head examining.

    Banking and insurance services, etc, are of course an exception – as are many online retail services, for quite obvious reasons. But for the rest, the less info you give the safer you’ll be, and the easier it is to abandon the service and re-register if things go wrong. Other than obvious agencies like banks or insurance brokers, few get my primary email address and fewer ever get my home phone number (NONE ever – under ANY circumstances other than medical agencies – get my cellphone number) – in my experience that’s simply a licence to be pestered. Online services who insist otherwise are simply abandoned.

    It astonishes me that people so often hand out sensitive information wholesale to anyone who asks for it online – to an extent they’d never dream of in the real world.

  6. John said on July 12, 2012 at 4:18 pm

    I was first alerted to my Formspring account being compromised via email. I deleted the email as it appeared to be suspicious. That was until I started seeing several media reports on the hack. I didn’t even know I had a Formspring account in the first place, it looks rather old. But due to the amount of hacks in recent years it has made me think twice before creating accounts with services I’ll probably never use. Should I have to create an account and don’t need it in the future I do one of the following:

    (1) Contact the company and request removal of my account; OR
    (2) Sometimes some websites don’t allow the removal of an account. For example, Skype or many forums. I delete all my personal information, replace it with fake details, change the password to something very strong, then use something like 10minute mail (to change the email address). Then the account won’t be associated with me anymore and should it be hacked – they won’t get personal details.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.