Flipboard mobile news app hacked – 150M users at risk

Flipboard, the hugely popular news aggregation app that is used by 150 million people each month and comes pre-installed with every Samsung phone has been hacked – twice. According to a security notice posted by Flipboard, what it calls “unauthorized access” to databases took place between June 2, 2018 and March 23, 2019 as well as April 21, 2019 and April 22, 2019. The hacker is confirmed as having “potentially obtained copies of certain databases containing Flipboard user information.”

What was breached?

According to Flipboard the databases that were compromised hold account credentials, including actual names, usernames, cryptographically protected passwords and email addresses. Although it’s not clear exactly how many users were impacted by the breach, the Flipboard app has 150 million monthly users and Flipboard will only say that “not all users were involved.” The important two words in that list of breached data are cryptographically protected. This refers to the passwords being protected by salted hashes, a method of encrypting plain text passwords using unique seeds that make cracking them difficult but not impossible. Flipboard admits that passwords created (or changed) before March 14, 2012 used a much weaker hashing algorithm. In addition, there are digital tokens used to connect Flipboard accounts to social media and other third-party accounts, which Flipboard says “may have” been stored in those breached databases.

Flipboard’s response?

As soon as Flipboard discovered the unauthorized access on April 23rd it launched an investigation with the help of an external security company. While this seem like a long delay before informing users of the breach, Flipboard has been thorough in carrying out this forensic investigation to confirm the incident. Security experts agree that the disclosure is full, frank and detailed. All Flipboard account holders should by now have received an email with details of the breach and law enforcement has also been notified. Although passwords were salted and hashed as already stated, Flipboard has taken the precaution of resetting all user passwords. It has also replaced or deleted all digital tokens even though there is no evidence that any third-party or social media accounts were accessed by the attackers.

The take away

You can continue to user your Flipboard account, just change your password. Be sure not to re-use a username and password combination you may use to access other services and if your original Flipboard username/password is shared with other online services, be sure to change those as well ASAP. Threat actors use these shared credentials in order to compromise valuable resources such as email, social media accounts and bank accounts. For those of you who log into Flipboard using Facebook, Google, Samsung or Twitter accounts can continue to do so as before. Flipboard states that “your password is not stored in our database and we’ve rotated digital tokens.” This means that if your Flipboard account was connected to a Facebook or Google account, you’ll likely need to reconnect them to your Flipboard account and it should prompt you to do this on login.

Unfortunately the fact that Flipboard was breached for at least nine months is not that uncommon, sometimes we only find out about data breaches years after they occurred. The best way to protect yourself is to use unique passwords for every online account. Not sure how to do this? Feel free to reach out – we can help.

Stay safe out there