For nearly nine months, popular news aggregator, Flipboard, exposed sensitive user data to hackers in what has been called as a glaring security breach. It is still not estimated over the number of users that have been affected by the breach but the company has disclosed that only a subset of the 145 million monthly active users has been affected, which may still project an alarmingly huge number touted to be among millions.
According to a statement from the company, the hack occurred between June 2, 2018, and March 23, 2019, and again between April 21 and April 22, 2019. The breached database contains information like data like usernames, email addresses, and passwords. On the plus side, the stolen passwords have been encrypted.
“Flipboard has always cryptographically protected passwords using a technique known by security experts as “salted hashing”. The benefit of hashing passwords is that we never need to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords. If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1,” it said in the statement.
Flipboard also stated any user who used third-party accounts to log in to the website may not have been affected. But as a precaution, “we have replaced or deleted all digital tokens,” the release added.
Flipboard has reset passwords of all users “even though the passwords were cryptographically protected and not all users’ account information was involved. You can continue to use Flipboard on devices from which you are already logged in. When you access your Flipboard account from a new device, or the next time you log into Flipboard after logging out of your account, you will be asked to create a new password,” the statement said.