Popular news aggregation site Flipboard – one billion app downloads from Google Play and counting – has become the latest internet company to admit it has suffered a breach.
We’ve covered a lot of data breaches in recent years but this one has one or two wrinkles that are worth highlighting.
According to Flipboard, hackers gained access to data between 2 June 2018 and 23 March 2019, plus a short window between 21 and 22 April 2019.
It’s not clear how many Flipboard users had their data compromised. Data stolen included names, Flipboard user names, email addresses and hashed passwords.
The good news is that passwords on accounts created since 2012 were salted and hashed using Bcrypt, which should make life very hard for anyone trying to guess secure passwords on any scale. However, accounts created before 14 March 2012 (and not changed since) used the less secure SHA-1.
Password reset
The first question, then, “Should I change my password?” Flipboard’s advisory says:
As a precaution, we have reset all users’ passwords, even though the passwords were cryptographically protected and not all users’ account information was involved.
However, anyone who remains logged in (from their smartphone, say) won’t receive notice of the need to reset their password unless they either log out or attempt to access Flipboard from a new device.
Our advice is to ignore the uncertainty over how many users are affected and manually change the password to something secure as soon as possible. If you’ve not changed your password since March 2012, that becomes an absolute must (Flipboard’s userbase was approaching 20 million at that time.)
And, if there’s a chance you reused your Flipboard password on another site then that will need to be changed too.
Third-party login
A Flipboard feature available since around 2015 is the ability to register a new account quickly via Google, Facebook and Twitter using Single Sign On (SSO). That is a concern, admitted Flipboard’s advisory:
The [breached] databases may have contained digital tokens used to connect your Flipboard account to that third-party account. As a precaution, we have replaced or deleted all digital tokens to eliminate any possibility of misuse.
Before they were changed, hackers could have used these tokens to:
Read or make posts and messages on the account and access some user account information, such as user name, profile information, posts to the site, and connections. In some cases, this access also allowed changes to this information, such as inviting new people to connect.
The company said it hadn’t detected abuse of these accounts but the fact the tokens have been refreshed means that anyone using SSO will need to re-authorise access via the account (the process for which varies depending on whether Android or iOS is being used).
What’s stopping the hackers from coming back?
After almost every data breach, companies promise to tighten up security, without explaining what this means. It’s no surprise to learn that Flipboard is doing the same:
To help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. For security reasons we are not sharing specific details.
What’s concerning in this breach is perhaps less that it happened but that it then went undetected for nearly 10 months, by Flipboard’s reckoning. That’s more than enough time for hackers to exploit stolen data.
For more information and advice from Flipboard, refer to their article.
Loree Eatherton
I deleted the app from my phone a while back, however it is still in my cloud account. How secure would my iPhone data have been during the breach?
Paul Ducklin
If we ignore that the crooks now have a confirmed match between your name and your email address – not much of a secret for most people, and not specific to your iPhone anyway – then all the crooks really have to play with is a salted-and-hashed version of your password.
So if we assume you chose a decent Flipboard password then the crooks probably aren’t going to get round to cracking it any time soon… but even if they do, then so as long as you didn’t use the same password for any iPhone related data, you should be fine. They *might* recover your now-expired Flipboard password, but it’s no longer valid for Flipboard anyway, so that’s pretty much that if you didn’t reuse that password anywhere else.