The news aggregator and online magazine platform Flipboard is warning its users that it has been hacked and a “subset” of users’ details likely stolen, forcing it to reset its entire userbase’s passwords.
Founded and based in California, the news and magazine aggregator has been in operation since 2010. The platform is on most Android phones by default, and is accessible on iOS systems. It currently has over 150 million monthly users.
The damage appears to have been limited, as Flipboard doesn’t gather user data beyond a name and username. Passwords were encrypted and salted.
The Flipboard hack was first identified by its engineering team on April 23. The team identified unauthorised activity within the system occurring on April 21 and warned it may have resulted in the hacker making copies of the user database from the dates June 2, 2018, to March 23, 2019.
It is also warning about unauthorised database access from April 21 to the 22 of 2019.
However, Flipboard says that that team was originally investigating: “Suspicious activity that occurred on March 23, 2019,” not the April breach. Computer Business Review has asked Flipboard if it is actually two separate breaches, but at the time of publishing has not received a response.
The user information potentially accessed during the breach according to Flipboard was user names, email address and passwords.
Flipboard have instigated a completed password reset on the platform, which will require users to setup new passwords when they log into the service again.
Flipboard Hack May Extend to Third Party Accounts
The magazine platform has also replaced all of the digital tokens that are created when a user logs into a site via a third-party application such as Facebook or Google.
When this connection is made a digital token is created that establishes a unique connection between that user’s Flipboard account and their social media account.
The company said: “The unauthorized person may have had to the third-party accounts linked to Flipboard accounts varies by the type of linked account as well as the permissions the user gave when linking it to the user’s Flipboard account, but potentially may have allowed the unauthorized person to read or make posts and messages on the account and access some user account information, such as user name, profile information, posts to the site, and connections. In some cases, this access also allowed changes to this information, such as inviting new people to connect.”
The magazine aggregator has noted that the ‘vast majority’ of passwords accessed were secured with bcrypt, while the passwords of any Flipboard users who have not logged into the service since 2012 are hashed using the old standard of Secure Hash Algorithm 1 (SHA-1), a hashing system that has been considered unsafe since the mid-2000.
Hashing is the transformation of a string of characters into a fixed length key that the system can pull up with ease. When used with passwords theses are often salted, which means the inclusion of random data to add extra complexity.
bcrypt is a slow hashing encryption method and is generally considered a better security method for passwords as it increases the time and effort a threat actor has to go through to un-hash a stolen list of credentials, as the hash itself is designed to be difficult to calculate. Fast hashes on the other hand are made with particular designed requirements in place and are expected to be computed quickly so they don’t slow systems down.
Security writer Frank Rietta wrote in a blog that fast hashing poses a risk when used with passwords: “When an attacker gets access to your database of password hashes and he also has a copy of your salt, which he presumably will considering that your server was compromised, then your users’ passwords are in danger. With a fast hash, the attacker can compute billions of hashes per second in an offline attack.” So a slow hashed method is generally preferable for passwords.
Flipboard concluded in its security alert that: “To help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems.”
“We also notified law enforcement.”