On May 29, 2019, Forbes.com reported that “Flipboard, the hugely popular news aggregation app that is used by 150 million people each month, has been hacked. Twice. According to a security notice posted by Flipboard, what it calls ‘unauthorized access’ to databases took place between June 2, 2018 and March 23, 2019 as well as April 21, 2019 and April 22, 2019. The hacker is confirmed as having ‘potentially obtained copies of certain databases containing Flipboard user information.'”
On May 29, 2019, theinquirer.net reported that “[t]he data of 1.5 million accounts is thought to have been affected, but sensitive information such as passwords should be ok because they are protected with ‘salted hashing’.”
Flipboard’s “Notice of Security Incident” reported the following:
[Flipboard] recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, [Flipboard] immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.
What information was involved
The databases involved contained some of [Flipboard] users’ account information, including name, Flipboard username, cryptographically protected password and email address.
Flipboard has always cryptographically protected passwords using a technique known by security experts as “salted hashing”. The benefit of hashing passwords is that [Flipboard] never need[s] to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords. If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.
Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account. [Flipboard has] not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, [Flipboard has] replaced or deleted all digital tokens.
Importantly, [Flipboard does] not collect from users, and this incident did not involve, Social Security numbers or other government-issued IDs, bank account, credit card, or other financial information. [Emphasis added.]
For additional information about what steps Flipboard is taking, what Flipboard users can do, as well as additional information about the data breach, please click here.