Formspring has reported a breach of 420,000 user passwords, while Yahoo has said that up to 400,000 Voice account usernames and passwords have been stolen and published online.
According to a blog post by the Formspring CEO and founder Ade Olonoh, the social networking site has disabled all users' passwords in response, with users being prompted to change their passwords when they log back in.
He said that he was notified that approximately 420,000 password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords.
“The post did not contain usernames or any other identifying information. Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach,” he said.
“We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.
We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security.”
Olonoh said Formspring is continuing to review its internal security policies and practices to ensure that this never happens again. “We apologise for the inconvenience but prefer to play it safe and have asked all members to reset their passwords,” he said.
Meanwhile, Yahoo has said that up to 400,000 of its Voice account usernames and passwords have been stolen and published online.
According to security researcher Rob Fuller, the credentials were kept in clear text and were taken from the Yahoo.com subdomain dbb1.ac.bf1.yahoo.com. TrustedSec said the breach appeared to be an SQL injection attack to extract the sensitive information from the database.
A brief note at the end of the dump said: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in web servers belonging to Yahoo that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."