Flipboard admits double hack: personal user data at risk

by Gabriel E. Hall - - 2019-05-29

News aggregation app Flipboard was hacked twice since March 2018

Flipboard hack: users' personal data breached during the attempt Flipboard data breach stroke twice and possibly touched millions of users accounts

An immensely popular news aggregation application Flipboard, which is used by 150 million users monthly, was involved in two hacking attempts that resulted in its users' personal data disclosure. The first data breach took place between June 2, 2018, and March 23, 2019, while the second one occurred from April 21, 2019, to April 22, 2019, when unidentified hackers managed to break into internal databases.^[1] The suspicious activity was detected immediately after the second hack – on April 23.

Luckily, no financial information or Social Security numbers were revealed as the app does not collect such user details. However, some other visitor data was brought to the surface, which included user names and surnames, provided email addresses, account tokens for third-party services, and encrypted passwords.

Even though not all Flipboard user accounts were affected by the breach, the company claims to have reset all visitor passwords as a precautionary measure. Additionally, tokens were also discontinued:^[2]

As another precautionary step, we disconnected tokens used to connect to all third-party accounts, and in collaboration with our partners, we replaced all digital tokens or deleted them where applicable.

The company has also contacted a law enforcement agency, along with a security firm to conduct a forensic investigation, which would explain why and how the breach happened. In general, Flipboard handled the situation reasonably well, being open about the ordeal, also assuring for security improvements to its systems.

Passwords created before May 2012 might be more prone to compromise

Users who created their accounts after May 14, 2012, or changed their old passwords after this date have a better chance of retaining them from exposure, as passwords which were created before this date appear to be modified by using a weaker SHA-1 algorithm.^[3] Fortunately, afterward, more sophisticated ciphers were used to scramble passwords, making it much more difficult to decipher.

Flipboard also revealed that the two hacking attempts affected the account tokens which provide access to particular information from other popular directories such as Facebook, Samsung, Google, and Twitter.^[4] The organization ensures users that it is safe to log in to these accounts and continue using them after all:^[2]

If you use Twitter/Google/Samsung/Facebook to log into your Flipboard account, you can continue to do so. Your password is not stored in our database and we’ve rotated digital tokens.

Flipboard is not the only company affected by data breaches – make sure to secure your passwords

Currently, Flipboard is still trying to figure out the number of accounts that were hacked during the breach, although the 150 million visitor mark is likely. Nevertheless, the company has sent each user and informative email message on how to create a new password for the account when logging into it again.

Flipboard provided a specific hyperlink^[5] which is supposed to help visitors to change their passwords. However, the company warns users that the password reset needs to be completed before the link expiration date in order to ensure full account protection:

Be sure to complete the password reset soon, as the link will expire after some time. If the password reset link no longer works, you can resend a password reset email. We recommend you update your password from time to time to help ensure account security.

Breaches like Flipboard's are not uncommon nowadays as hackers are finding new ways how to access customers' private data of large-scale organizations. For example, just this month online service marketplace Wyzant was hacked, and hackers managed to enter customer database on internal networks, exposing names, emails, zip codes, as well as Facebook profile information.

Another incident occurred in April, when open source container Docker Hub suffered a cyber attack, affecting 190,000 of its users. Similarly to Flipboard's case, usernames, hashed passwords, and tokens were affected.^[6]

To ensure your passwords remain safe, make sure you do not reuse them. Additionally, enabling two-factor authentication where possible is also a good idea, as it often prevents most hacks from abusing the stolen data.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Davey Winder. Flipboard Confirms It Was Hacked Twice: 150M Users At Risk As Passwords Stolen. Forbes.com. Latest news.
^ NOTICE OF SECURITY INCIDENT. Flipboard.com. Relevant information.
^ Tim Fisher. What Is SHA-1 and How Is It Used for Data Verification?. Lifewire.com. News source.
^ Zack Whittaker. Flipboard hacks prompt password resets for millions of users. Tech Crunch. Independent news source.
^ Flipboard accounts. Flipboard. Password reset.
^ Linas Kiguolis . Unauthorized access to a Docker Hub database affects 190,000 of its users. 2-spyware. Cybersecurity news and articles.