Flipboard reveals data breach, which left users' details exposed

Flipboard is the latest company to fall foul of a data breach.

The news aggregation app announced in a post that it had identified unauthorized access of some of its internal systems, which contained some Flipboard users' account information and credentials.

For more than nine months, the unauthorized person had access to Flipboard's systems, potentially able to obtain copies of databases which hosted users' information.

It's unclear yet how many users were affected by the breach, but an investigation commissioned by the company revealed there was unauthorised access between June 2018 and April 2019.

Passwords reset, most are secure

While the information on these databases included their name, Flipboard username, and email address, the passwords were cryptographically protected with an algorithm called bcrypt.

The algorithm adds a unique, random set of characters called a salt, on top of the usual hashing of the password, in which it is scrambled to make it difficult to figure out. This makes the passwords very tough to crack, requiring significant computing power to do so.

Passwords which were set before Mar. 14, 2012 were hashed and salted with an algorithm called SHA-1, a once-widely used function now long obsolete in the realm of internet security.

Flipboard said all user passwords have been reset in light of the breach, despite only some users being affected by the incident.

No third-party accounts accessed

The company also said its internal database contained digital tokens. These allowed Flipboard and a third-party to connect, for example when a user links their Flipboard account to social media platforms like Facebook or Twitter.

This allowed users to see content from these third-party accounts (i.e. making your Facebook News Feed readable on Flipboard), as well as comment on or share articles. The company said it had not seen unauthorized access to third-party accounts.

"We have not found any evidence the unauthorized person accessed third-party account(s) connected to users' Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens," the post read.

"Importantly, we do not collect from users, and this incident did not involve Social Security numbers or other government-issued IDs, bank account, credit card, or other financial information."

Flipboard said it has already notified law enforcement of the incident, which it discovered on Apr. 23.

For users, they'll be prompted to change your password next time at login, and some will be prompted to reconnect to third-party services which were previously linked to Flipboard.