News aggregator Flipboard has revealed that it was the victim of a security breach in which hackers gained unauthorized access to a “subset of user data.” The databases that were accessed stored Flipboard user account credentials, and after a recent investigation, Flipboard has determined that whoever got in had access for as long as nine months.
More specifically, this hacker (or hackers) had access to a portion of Flipboard’s databases between June 2nd, 2018, and March 23rd, 2019, then again on April 21st and 22nd, 2019. During those times, the hacker could have potentially copied login credentials from those databases, making off with users’ names, Flipboard users names, and cryptographically protected passwords and email addresses.
Flipboard says that whatever passwords were stored on those databases were protected by salted hashing – passwords created or changed after March 14, 2012 were hashed with bcrypt, while those created or last changed before then were protected with SHA-1. On top of that, Flipboard used these databases to store login tokens for linked third-party accounts, though the company says that it hasn’t found any evidence that the hacker was able to access those accounts using the tokens stored on these servers.
In any case, Flipboard has either replaced or deleted those login tokens and is now forcing all users to reset their passwords. Flipboard doesn’t say how many people were affected by this breach, but regardless of whether your data was involved in the breach of not, you’ll be prompted to change your password the next time you log into the service. If you use that same email and password combination to log into other accounts aside from Flipboard, it’s probably a good idea to change those passwords too, just to be on the safe side.
Flipboard has published an explainer post to its blog, complete with an FAQ that details how it hashed passwords and just what users need to do to keep their information secure. If you’re a Flipboard user, that FAQ is definitely worth a read through, and you’ll probably want to log out and back in as soon as possible to bring up the password change prompt.