Flipboard Resets Its Users' Passwords After Discovering That Hackers Had Access to Its Databases for More Than Nine Months

For those of you who don't know, Flipboard is a news aggregator service that has more than 100 million users and collects articles from around 11 thousand websites. On April 23, its engineers noticed unusual activity in the logs and decided to investigate. They ended up discovering a rather worrying data breach.

Flipboard was first breached twelve months ago

Flipboard's technicians first decided to take a look because they suspected unauthorized access to some of the databases around April 21. It turned out that the breach happened much earlier than their initial estimations. The team found out that hackers did indeed have access to the databases between April 21 and April 22, but they also discovered a breach from late March. Upon further investigation, the news aggregation service realized that cybercriminals first broke through Flipboard's defenses on June 2, 2018. They stayed inside until March 23, 2019 and came back in late-April.

In other words, the hackers had access to Flipboard users' information for exactly 295 days or just over nine months and three weeks.

It’s not as bad as it sounds

Although the timeline of the attack seems to be clear, Flipboard still don't have all the details. They don't know, for example, how many people were affected, though they seem to be pretty confident that not all users had their data exposed.

The information that was available to the hackers includes usernames, email addresses, digital tokens of people who use third-party accounts to access Flipboard, and, as the news aggregator puts it in its data breach notice, "cryptographically protected" passwords. By "cryptographically protected", they mean hashed, which is good news for the affected users.

Hashing is a one-way cryptographic function that turns a password into a random string of characters. If passwords are hashed, they remain inaccessible even for the service provider, which is why security experts say that this is the way users' passwords should be treated. Thankfully, Flipboard's developers have been listening.

Of course, there are many different hashing algorithms, and predictably, some are stronger than others. Since March 14, 2012, Flipboard has used bcrypt, which is widely considered to be one of the most secure hashing functions currently available. Passwords that were created before March 2012 were hashed with SHA1, which is nowhere near as strong, but because every single one of these passwords got its own unique salt, cracking them will still be a fairly difficult job.

All users to change their passwords, just in case

Flipboard has yet to see evidence of someone misusing the exposed data, but to be on the safe side, it's already taking some precautions to ensure that users don't suffer too badly. All access tokens that people have used to create Flipboard accounts through their social media profiles have been invalidated and deleted. In addition to this, although the attack didn't affect all users, every single Flipboard password will be reset. People will remain logged in on the devices they're currently using, but the next time they log out, they'll be forced to create a new password.

Flipboard said that although it's confident in the hashing function's security, it's implementing the password reset out of an abundance of caution. It also advised people to use unique passwords for all online services and furnished the data breach notice with additional details on how to manually change your password and how to spot potential phishing campaigns that might try to take advantage of the news surrounding the attack.

Overall, the Flipboard data breach isn't the worst cybersecurity incident we've ever seen. The company took enough precautions in order to make sure that should the worst happens, people's information is kept relatively safe, and it now seems to be very open and transparent about the whole thing. Indeed, the hackers remained undetected for close to ten months, which is worrisome, but hopefully, the news aggregator will adopt some new practices and will monitor its systems more closely from now on.