SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Users’ names and email addresses leaked in Flipboard data breach
Thu, 30th May 2019
FYI, this story is more than a year old

Content aggregation site Flipboard has been a victim of a data breach that possibly compromised users' names, Flipboard usernames, cryptographically protected passwords and email addresses.

In an email to its users, Flipboard said it recently identified unauthorised access to some of its databases containing certain Flipboard users' account information, including account credentials.

“In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist.

“Findings from the investigation indicate an unauthorised person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018, and March 23, 2019, and between April 21 to 22, 2019.

Flipboard when on to explain the techniques it used to protect user passwords.

“Flipboard has always cryptographically protected passwords using a technique known by security experts as 'salted hashing'."

“The benefit of hashing passwords is that we never need to store the passwords in plain text.

The statement adds, “Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant compute resources to crack these hashed passwords.

“If you created or changed your password after March 14, 2012, it is hashed with a function called bcrypt. If you have not changed your password since then, it is uniquely salted and hashed with SHA-1.

Flipboard has reset all users' passwords as a precaution.

Users can continue to use the app on devices from which they are already logged in, but will be prompted to create a new password if they access their account from a new device.

“As another precautionary step, we disconnected tokens used to connect to all third-party accounts, and in collaboration with our partners, we replaced all digital tokens or deleted them where applicable,” the statement said.

“Additionally, to help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems.

“We also notified law enforcement.

BlackFog CEO and founder Dr Darren Williams says, “What's particularly concerning about this case is that an unauthorised person had access to the news aggregator's database for such a long period of time – more than nine months – and was able to make copies of user account information.

“For consumers, this shows us the importance of being your own first line of defence and using different passwords across platforms.

"The Flipboard hacker had access to user names, email addresses, and encrypted passwords – a dangerous combination for those who rely on one password.