There's a bit more info in this one about exactly what was compromised though. While I can understand the abundance of caution in resetting passwords despite only hashes and salts being lost, it is odd that they would "[presume] the attackers may be able to decrypt the passwords," assuming they're using strong encryption.
I wouldn't call resetting passwords an "abundance of caution" in this case. It's very likely that the attackers are able to retrieve passwords when they have the SHA1 hash and the salt (not exactly by decrypting though).
Do they say somewhere that they're only using sha1 though? That's sort of what I meant: if bcrypt or scrypt is used, with an appropriate work factor, the risk should be very minimal. The fact that they're assuming it's not suggests they are using weaker encryption.
Ahh thanks. I read the email they sent out, which had very similar content, but omitted that bit. Just skimmed the post itself, but obviously missed that key info.
Interesting that they don't include strengthening their encryption (ok, hashing) in the list of steps they plan to take, but presumably they will.
"In late April, the UserVoice security team learned that an unauthorized party illegally accessed one of UserVoice’s backend reporting systems and was able to view user data on a small subset of users. The user data includes name, email, and a hashed password and salt. Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak. As such, we’re resetting the passwords for all users in our database."
Funny thing, 37 minutes after receiving the first one, i received another notification on a secondary e-mail (also a gmail account) that is used for a toy project's free UserVoice account and is totally unrelated to the first one).
There's a bit more info in this one about exactly what was compromised though. While I can understand the abundance of caution in resetting passwords despite only hashes and salts being lost, it is odd that they would "[presume] the attackers may be able to decrypt the passwords," assuming they're using strong encryption.