Question and answer site Formspring has disabled the passwords of everyone on its service after suffering a security breach. In a blog post today, the company said that someone had broken into a development server and used this access to pull account information from a production database. Formspring was alerted when someone posted cryptographic hashes of 420,000 user passwords on a security forum. No usernames were attached, and the hashed passwords were salted (an additional security measure), but Formspring says it has since upgraded its encryption.
In the meantime, it's taken the somewhat unusual step of forcing every user to reset their passwords when they log back into the site. Since Formspring reported over 20 million registered members early last year and we've heard no reports of the hashed passwords actually being revealed or linked to other account data, this is a relatively extreme security measure for what's leaked so far. It's possible that the company expects other information was taken as well, or that it's taking this action as part of a general security upgrade post-breach. We'd urge anyone on the site to go ahead and log in, following the recommended guidelines to set a new password.