Flipboard hacked and open for 9 months – fortunately passwords properly salted and encrypted so not much damage

In a series of emails seen by ZDNet that the company sent out to impacted users, Flipboard said hackers gained access to databases the company was using to store customer information.

Most passwords are secure

Flipboard said these databases stored information such as Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails or digital tokens that linked Flipboard profiles to accounts on third-party services.

The good news appears to be that the vast majority of passwords were hashed with a strong password-hashing algorithm named bcrypt, currently considered very hard to crack.

The company said that some passwords were hashed with the weaker SHA-1 algorithm, but they were not many.

“If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1,” Flipboard said.

[…]

In its email, Flipboard said it is now resetting all customer passwords, regardless if users were impacted or not, out of an abundance of caution.

Furthermore, the company has already replaced all digital tokens that customers used to connect Flipboard with third-party services like Facebook, Twitter, Google, and Samsung.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to your Flipboard accounts,” the company said.

Extensive breach

But despite some good news for users, the breach appears to be quite extensive, at least for the company’s IT staff.

According to Flipboard, hackers had access to its internal systems for almost nine months, first between June 2, 2018, and March 23, 2019, and then for a second time between April 21 and April 22, 2019.

The company said it detected the breach the day after this second intrusion, on April 23, while investigating suspicious activity on its database network.

Source: Flipboard says hackers stole user details | ZDNet