Flipboard Database Breach Exposed Sensitive User Data For More Than 9 Months

Popular news aggregator Flipboard disclosed a security breach, which gave hackers unauthorized access to its database systems for more than nine months.

After realizing the unauthorized access to some of its databases containing certain Flipboard users’ account information, including account credentials, Flipboard launched an investigation with an external security company and the law enforcement.

Here, they found unauthorized access attempts to its database between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.

Flipboard also said it detected the intrusion a day after the second hack, on April 23, "after identifying suspicious activity in the environment where the databases reside."

The databases involved contained some of Flipboard users’ account information, including name, username, cryptographically protected password and email address.

Flipboard has always cryptographically protected passwords using “salted hashing”.

If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with a weaker SHA-1 algorithm, explained Flipboard.

Other breached data included information regarding access to third-party services.

If users ever use their Flipboard account to connect to third-party services, then the databases may have contained digital tokens used to connect their Flipboard account to those third-party accounts.

Notifying affected users, the company is sending an email from the sender [email protected] with the subject line: “Flipboard Security Notice.”

Flipboard hacked

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens,” said the company in the notice.

"While you can continue using Flipboard from devices you’re already logged in, you’ll be prompted to create a new password if you try signing in afresh," explained Flipboard.

Flipboard has more than 145 million monthly active users. The company didn’t exactly disclose how many of its users were affected by the breach, by only saying that a “subset of user data” had been compromised.

With this incident, Flipboard joins the list of companies that have been breached by hackers just this month alone.

Previously, developer Q&A site Stack Overflow suffered a similar security breach. At that time, an attacker was able to log into its development tier as well as escalate their access on the production version of stackoverflow.com.

Around 250 public network Stack Overflow users were affected.