sb-au logo
Story image

Users’ names and email addresses leaked in Flipboard data breach

30 May 2019

Content aggregation site Flipboard has been a victim of a data breach that possibly compromised users’ names, Flipboard usernames, cryptographically protected passwords and email addresses.

In an email to its users, Flipboard said it recently identified unauthorised access to some of its databases containing certain Flipboard users' account information, including account credentials.

“In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. 

“Findings from the investigation indicate an unauthorised person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018, and March 23, 2019, and between April 21 to 22, 2019.”

Flipboard when on to explain the techniques it used to protect user passwords.

“Flipboard has always cryptographically protected passwords using a technique known by security experts as 'salted hashing'."

“The benefit of hashing passwords is that we never need to store the passwords in plain text.

The statement adds, “Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant compute resources to crack these hashed passwords.”

“If you created or changed your password after March 14, 2012, it is hashed with a function called bcrypt. If you have not changed your password since then, it is uniquely salted and hashed with SHA-1.”

Flipboard has reset all users’ passwords as a precaution.

Users can continue to use the app on devices from which they are already logged in, but will be prompted to create a new password if they access their account from a new device.  

“As another precautionary step, we disconnected tokens used to connect to all third-party accounts, and in collaboration with our partners, we replaced all digital tokens or deleted them where applicable,” the statement said.

“Additionally, to help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems.

“We also notified law enforcement.”

BlackFog CEO and founder Dr Darren Williams says, “What’s particularly concerning about this case is that an unauthorised person had access to the news aggregator’s database for such a long period of time – more than nine months – and was able to make copies of user account information.

“For consumers, this shows us the importance of being your own first line of defence and using different passwords across platforms.

"The Flipboard hacker had access to user names, email addresses, and encrypted passwords – a dangerous combination for those who rely on one password.”

Story image
Microsoft top targeted brand by cyber criminals in Q4 2020
In Q4, 43% of all brand phishing attempts related to Microsoft (up from 19% in Q3), as threat actors continued to try to capitalise on people working remotely during the COVID-19 pandemic’s second wave. More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More
Story image
BackupAssist partners with Wasabi for greater cyber-resilience
This partnership provides customers with an up to 80% less expensive solution that is faster than the competition for achieving enterprise-grade cyber-resilience, the company states. More
Story image
Entrust acquires HyTrust, with aim to improve data encryption solutions
Entrust says the acquisition will bolster its effort to deliver data protection and compliance solutions to its customers, while accelerating their digital transformations.More
Story image
Huawei: Corporates must focus on data minimisation and business continuity to mitigate data security challenges
"From a long-term sustainable point of view, organisations will need to adopt data minimisation and privacy by design and default."More
Story image
Alibaba Cloud and LGMS tackle hybrid and multi-cloud security
Alibaba Cloud and LGMS, a cybersecurity consulting company, are teaming up to tackle the challenge of security around digital transformation and hybrid cloud.More