Popular news aggregator Flipboard has revealed that hackers gained access to user passwords several times over the last nine months. As detailed by TechCrunch, Flipboard has now reset the passwords of millions of its users following the breach.
Ecobee HomeKit Thermostat
In a notice posted to its website this week, Flipboard explains that hackers “accessed and potentially obtained copies of certain databases” during two separate windows of time. The breaches first took place between June 2nd, 2018 and March 23rd, 2019. A second breach occurred between April 21st and April 2nd of this year. The intrusions were detected on April 23rd.
Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.
The hacks exposed a variety of information connected to Flipboard user accounts, with the intruder able to access usernames, passwords, email addresses, and tokens used for connecting to third-party social networks such as Twitter. The passwords were protected using “salted hashing,” so long as they had been updated since March of 2012. Passwords from March 2012 and earlier were hashed with a weaker SHA-1 function.
As for the third-party account tokens, Flipboard says that it has “not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts.”
Flipboard replaced or deleted all digital tokens. Those tokens are no longer valid and therefore cannot be misused. Prior to the digital tokens being replaced or deleted, the access that the unauthorized person may have had to the third-party accounts linked to Flipboard accounts varies by the type of linked account as well as the permissions the user gave when linking it to the user’s Flipboard account.
As a precaution, Flipboard says it has reset all user passwords, though you can still use Flipboard from devices on which you’re already logged in. You will be prompted to create a new password if you log in from a new device.
Flipboard notes that “not all” users were affected by the security breach, but it did not disclose the actual breadth. The service is believed to have around 150 million monthly users. You can read the company’s full disclosure here.