Social networking site Formspring said Tuesday that it was disabling nearly 30 million registered users' passwords after hundreds of thousands of them were leaked to the Web.
Formspring was notified that approximately 420k password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords. The post did not contain usernames or any other identifying information.
Once the company verified that the hashes were obtained from Formspring, it locked down its systems and began an investigation to determine the nature of the breach. Formspring found that someone had broken into one of its development servers and was able to use that access to extract account information from a production database.
Formspring was to fix the hole and upgraded its hashing mechanisms from sha-256 with random salts to bcrypt to fortify security.
"We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again," Formspring said in a blog post.
Formspring is sending email asking its users to reset their passwords.