Flipboard, the popular news aggregator service that boasted up to 145 million monthly users as of August last year, recently announced that an unknown hacker gained access to and stole data from some databases that contained names, email addresses, usernames, and passwords of an undisclosed number of its users.
The breach of Flipboard’s databases containing personal information and credentials of its users took place on two occasions- once between June 2, 2018, and March 23, 2019, and again between April 21 – 22 this year.
Even though the company discovered the breaches after they had occurred, it said that for users who set up new passwords or changed their passwords after March 14, 2012, there is little chance of hackers taking over their accounts as those passwords were cryptographically protected using the “salted hashing” technique which makes it difficult for anyone to decrypt them.
However, those users who created their accounts and set up their Flipboard passwords prior to March 14, 2012 are being advised to change their passwords at the earliest as their passwords were not encrypted using the salted hashing technique. As a precaution, Flipboard has reset the passwords of all users in order to prevent hackers from carrying out account takeovers.
At the same time, the company has also replaced or deleted all digital tokens that connected users’ accounts to their third-party accounts such as those with Google and Facebook. This will prevent hackers from using digital tokens stolen from compromised databases to take over accounts of users who log in to Flipboard using their Google or Facebook accounts.
The company also assured its users in a security notice that since it does not collect sensitive information such as social security numbers or other government-issued IDs, bank account, credit card, or other financial information, there is no chance of hackers gaining access to personally identifiable information (PII) belonging to users.
Flipboard resets all passwords & tokens to minimise the impact of the breach
“We recently identified unauthorised access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist,” Flipboard said in its security notice.
“Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019. The databases involved contained some of our users’ account information, including name, Flipboard username, cryptographically protected password, and email address.
“To help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. For security reasons we are not sharing specific details,” it added.
Commenting on an unnamed hacker gaining access to databases containing sensitive information about Flipboard users, Martin Jartelius, CSO at Outpost24, said that the news of the breach is concerning not only due to the very prolonged initial breach, but also due to the fact that we are now almost two months past the end of that initial breach, and one month past the second breach.
“The main risk for users here is the connection between their identity and a potentially re-used password – there are tools available for hackers to attempt to analyze the protected passwords to break weaker passwords, then testing those retrieved credentials against a large set of popular online services.
“So for any user re-using your passwords – firstly stop doing so, and secondly, ensure that you change the password on any sites where your Flipboard password could have been reused. If this was your email, also ensure you still have control of all your online accounts,” he added.
ALSO READ: Upto 600m user passwords were stored on Facebook servers in plain text