Flipboard just announced that it is resetting the passwords of all its users after it was found out that their site has suffered a massive data breach. The databases containing usernames and passwords of Flipboard users were accessed by hackers including tokens for third-party services that are connected to Flipboard.
According to Flipboard, they have identified the unauthorized access to some of their databases containing certain users’ account information and credentials. The announcement said that Flipboard immediately engaged the services of an external security firm which found out that indeed, hackers were able to access some databases specifically between June 2, 2018, and March 23, 2019, and April 21-22, 2019.
The investigation didn’t specify though how many users were affected. Flipboard decided to reset the passwords of all its users to respond to the discovery.
In a post to its website, Flipboard says:
“We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.”
Additionally, Flipboard also pointed out that the passwords that were accessed by hackers were cryptographically protected by salted hashing. Passwords that were created or changed after March 14, 2012, were secured with bcrypt. However, passwords created before the said date and has not been changed since they were not as strong as they are protected only through SHA-1 hashing algorithm. The company said that this is a weak password protection method.
Aside from users’ account information including name, username, password, and email address, third-party accounts connected to Flipboard may also have been affected. According to Flipboard, if a user has connected his social media accounts to his Flipboard account, this may have contained digital tokens of the social media accounts. These digital tokens can be used by hackers to access third-party accounts. The good news is that up to now, there has been no report of third-party account hacking due to the Flipboard hack.
Flipboard has already reported the incident to law enforcement authorities and is awaiting results of the investigation. In the meantime, the company is resetting passwords for all its members. It has also disconnected, replaced and deleted digital tokens that are used to connect to third-party services.