Flipboard hack exposed sensitive user data for over 9 months

Flipboard hack exposed sensitive user data for over 9 months

Popular news aggregation platform Flipboard has disclosed a glaring security breach, which gave hackers unauthorized access to its database systems for more than nine months.

As a precautionary step, it has reset all users’ passwords. While you can continue using Flipboard from devices you’re already logged in, you’ll be prompted to create a new password if you try signing in afresh.

Flipboard has more than 145 million monthly active users. The company didn’t disclose the exact number of accounts that had been breached, but said only a “subset of user data” had been compromised.

It also said it is in the process of notifying all affected users. Be sure to watch out for an email from the sender “security-notification@flipboard.com” with the subject line: “Flipboard Security Notice.”

The breached database was used to store users’ account information, including sensitive data like usernames, email addresses, and encrypted passwords, the company said.

In a notice published on Tuesday, Flipboard confirmed that the hacks took place between June 2, 2018 and March 23, 2019, and a second time on April 21-22, 2019.

Flipboard said it detected the intrusion a day after the second hack, on April 23, “after identifying suspicious activity in the environment where the databases reside.” It has also notified law enforcement of the security breach.

Although the passwords were hashed and salted, making them unreadable and difficult to crack, Flipboard cautioned that passwords set prior to March 14, 2012 were scrambled with the weaker SHA-1 algorithm. But passwords created or changed post that date have been cryptographically protected using the bcrypt password hashing protocol.

Out of caution, all users ought to change their passwords – especially those who haven’t done so since 2012.

The hacks also exposed digital account tokens of a few users; tokens are used when connecting your Flipboard account to third-party services, including social media accounts.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens,” said the company in the notice.

With this incident, Flipboard joins the long list of companies that have been breached by hackers just this month alone.

Developer Q&A site StackOverflow suffered a similar security lapse a couple of weeks ago. A few days back, graphic design startup Canva was hacked as well, with customer data of roughly 139 million users stolen during the incident.

Read next: German watchdog accuses CoinBene of unlicensed cryptocurrency trading