Flipboard hacked -- attackers had access to database of user information for 9 months
Flipboard is resetting the passwords of millions of users after suffering a data breach. Hackers were able to access databases containing usernames and passwords, as well as access tokens for some third-party services.
The company has not revealed how many users are affected by the security incident, but says that hackers had access to its systems for a nine months.
Flipboard points out that the passwords hackers accessed were cryptographically protected using salted hashing. But there's a caveat. While user passwords created or changed after March 14, 2012 were protected with the strong and secure bcrypt, those created before this date and not changed since were only protected by the comparatively weak SHA-1 hashing algorithm.
In a notification posted to its website, Flipboard says:
We recently identified unauthorized access to some of our databases containing certain Flipboard users' account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 - 22, 2019.
The company explains that the hackers were able to access "some of our users' account information, including name, Flipboard username, cryptographically protected password and email address".
But this is not the end of the story:
Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account. We have not found any evidence the unauthorized person accessed third-party account(s) connected to users' Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens.
Flipboard says that while not all user accounts were affected by the breach, it is resetting passwords for everyone. Digital tokens used to connect to third-party services have also been disconnected, replaced or deleted as appropriate.
The company has noticed law enforcement about the incident.