Flipboard which is a news aggregator service and mobile news app revealed about a security incident in which hackers had access to their internal systems for more than nine months. Flipboard started notifying their impacted customers by sending out emails. The company stated that the attackers gained access to their databases that was used for storing customer information.
The databases stored information such as Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails or digital tokens that linked Flipboard profiles to accounts on third-party services.
The majority of passwords were hashed with a strong password-hashing algorithm named bcrypt which is currently considered difficult to crack. While there are some passwords that were hashed with the weaker SHA-1 algorithm.
For those users who have created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. Those who have not changed their password since then, it is uniquely salted and hashed with SHA-1.
Flipboard did not reveal the exact number of accounts that were accessed by the hackers but they confirmed that all the Flipboard accounts were not impacted.
The company is now in the process of resetting all customer passwords, regardless if users were impacted or not. Also, they have already replaced all digital tokens which the customers used to connect Flipboard with third-party services like Facebook, Twitter, Google, and Samsung.
Flipboard stated that they haven’t found any evidence of third-party accounts connected to the Flipboard accounts being accessed by any unauthorized persons. This security breach is however considered to be substantial.
According to Flipboard, hackers had access to its internal systems for almost nine months, first between June 2, 2018, and March 23, 2019, and then for a second time between April 21 and April 22, 2019.
They detected the breach on April 23, while investigating suspicious activity on its database network. The company has notified law enforcement of the security breach.