Popular news aggregator platform Flipboard has disclosed that its databases containing account information of certain users have been hacked. The data that was potentially downloaded several times over a nine-month period ending on April 22 included user credentials, the Palo Alto, California-based company revealed in an email sent to all Flipboard users. A security incident notice has also been published on the Flipboard website to reveal the details of the data breach. The total number of affected users is uncertain. However, as a precautionary measure, the company has reset passwords of all its about 150 million users, including the passwords that were cryptographically protected.
In an email sent to its users, a copy of which is with Gadgets 360, Flipboard reveals that it found that the hackers gained access to some of its databases containing Flipboard user information between June 2, 2018, and March 23, 2019, as well as on April 21 and April 22, 2019. "The databases involved may have contained your name, Flipboard username, cryptographically protected password, and email address," the company said in the email.
The security incident that particularly took place between April 21 and 22 was discovered on April 23, when Flipboard's engineers were investigating the suspicious activity that occurred on March 23.
"Our engineering team became aware of the incident after identifying suspicious activity in the environment where the databases reside," the company stated in the notice on its website.
The total number of users being affected through the data breach is uncertain. However, Flipboard ensures that "not all Flipboard users' account information was involved in the incident" and as a precaution, all users' passwords have been reset.
Flipboard also highlights that the vast majority of passwords that were potentially downloaded by the hackers during the security failure were hashed using bcrypt. For the users who haven't changed their password since March 14, 2012, the company protected their passwords using SHA-1 encryption.
Since many of the affected users might have used digital tokens to log in to Flipboard using their credentials from Facebook, Google, and Twitter among other sites, Flipboard has rotated all the existing digital tokens. Nevertheless, the company is still allowing users to access their Flipboard account using third-party sources such as Facebook, Google, and Twitter.
"To help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems," the company said without revealing any specific details due to security reasons.
Additionally, Flipboard mentioned that it informed law enforcement about the unauthorised access and involved an external security firm to investigate the flaw.