Flipboard Databases Hacked and User Information Exposed

The news aggregation site, Flipboard, has disclosed that their databases had been hacked and unauthorized users have potentially downloaded the data contained within them. This data included the personal account information and digital tokens for some of their over 100 million users.

According to emails seen by BleepingComputer and a security incident notice published on their site, Flipboard stated that hackers gained access to some of their databases during two different time periods.The first time was between June 2nd, 2018 and March 23, 2019 and the second was between April 21st and 22nd, 2019.

It is not known if these were the same users accessing the databases at different periods or two separate data breaches.

"We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials," stated Flipboard's security incident notice. "In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019."

On April 23rd, 2019, while investigating suspicious activity on their databases in March 2019, they discovered that there was further unauthorized activity on April 21-22nd, 2019.

This allowed the hackers to view and potentially download user information such as user names, hashed and salted passwords, and for some users, their email addresses and digital tokens used to login to Flipboard using site credentials from Google, Facebook, and Twitter. 

Flipboard states that the vast majority of the exposed user passwords were hashed with a strong cipher called bcrypt. This would make it difficult, but not impossible, to crack the passwords. Users who have not logged into their accounts since March 14th, 2012, though, would have had their passwords hashed using SHA-1, which would be easier to crack.

Of particular concern are digital tokens for sites used to login to Flipboard that were stored in the database. If the hacker gained access to these tokens, they could used them to gain access in some manner to these other sites. To be safe, Flipboard replaced or deleted all digital tokens stored in these databases.

"Flipboard replaced or deleted all digital tokens. Those tokens are no longer valid and therefore cannot be misused. Prior to the digital tokens being replaced or deleted, the access that the unauthorized person may have had to the third-party accounts linked to Flipboard accounts varies by the type of linked account as well as the permissions the user gave when linking it to the user’s Flipboard account, but potentially may have allowed the unauthorized person to read or make posts and messages on the account and access some user account information, such as user name, profile information, posts to the site, and connections. In some cases, this access also allowed changes to this information, such as inviting new people to connect. We have not found any evidence the unauthorized person accessed third-party account(s) connected to your Flipboard accounts."

Flipboard has stated that they are still investigating the breach and do not know at this time how many users were affected. Due to this, they have decided to reset all of their user's passwords and emailed a security notice describing the incident.

"We’re still in the process of determining the total number. We do know that not all accounts were compromised."