Flipboard Breached in Nine-Month Raid

Written by

Flipboard has reset all customer passwords as a precaution after revealing that hackers had unauthorized access to user data for over nine months.

The news aggregator site, which has around 150 million monthly users, said the “unauthorized person” gained access to “certain Flipboard users account information,” although it didn’t reveal how many were affected.

“Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019,” it said in a statement.

“The databases involved contained some of our users’ account information, including name, Flipboard username, cryptographically protected password and email address.”

The good news is that Flipboard protected passwords with salted hashing, making it harder but not impossible for attackers to crack them. However, those credentials created or changed before March 14, 2012 are only salted and hashed with SHA-1, a less secure algorithm than the current bcrypt.

“Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account,” the firm added.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens.”

No financial information or Social Security numbers were affected by the breach, and the firm claimed to have “enhanced” its security following the incident.

Although it followed best practices regarding user passwords, the fact that hackers managed to stay hidden for nine months will be of concern to users.

What’s hot on Infosecurity Magazine?