Flipboard has started sending notification messages to its users, informing them of a security incident that jeopardized their account data. According to the official announcement, hackers managed to gain access to the internal systems of the popular news and social network aggregation company and maintained their access to the breached databases for a period of nine months. The particular databases were hosting customer information like their names, usernames, email addresses, and “salted” passwords, so the hackers had all the time in the world to dig deep and gather whatever they could.
We recently identified & addressed a security incident. We’ve taken measures to protect users’ accounts & secure our systems. As a precautionary measure, we proactively reset all user passwords. We’re providing more details via email & on our support page. https://t.co/tSTKwt7PYN
— Flipboard (@Flipboard) May 28, 2019
Flipboard says their users shouldn’t freak out immediately because the cryptographically protected passwords that were leaked due to this breach are tough to crack. As they clarify, they were using a unique salt for each password in combination with the hashing algorithm, so it would be non-feasible for the hackers to spend the time and resources required to crack even one of them. This, however, doesn’t apply for all users, as those who created their Flipboard account before March 14, 2012, and never changed their password are protected with the SHA-1 hashing algorithm and not the bcrypt that was introduced later.
Still, Flipboard decided to reset all user passwords, even those that were out of the reach of the hackers, so when you return back to the service, you will be prompted to create a new password. Another precautional security step taken by Flipboard was to disconnect account linking tokens and create new ones with the help of their partners. This means that if you were using a token to connect your Flipboard account with your social media account, you will now have to create a new digital token and reestablish the linkage.
As the internal investigation is still ongoing, Flipboard cannot inform the public yet about how many accounts were involved in the incident. Many accounts have not been compromised, but they were reset nonetheless, and all owners have received the relevant notice. As required by law for such incidents, the company has also notified the US law enforcement and California data protection agencies. Now, as much as users appreciate Flipboard’s straight-forward and sincere notices of breach, there is an understandable disappointment by the fact that it took the company’s IT team a full nine months to discover that something suspicious is going on in the databases.
Are you a Flipboard user? Will you be trusting the platform again in the future? Let us know of your comments in the section down below, and also share your thoughts on our socials, on Facebook and Twitter.