An attacker gained access to, and likely made copies of user account data from the popular news platform Flipboard for 11 months. Flipboard claims the ‘unauthorized person’ had access to Flipboard user data for almost a full year. This is big — Flipboard is installed by default on many Android devices.
Flipboard said in their notice that “The databases involved contained some of our users’ account information, including name, Flipboard username, cryptographically protected password, and email address.” The time span specified is June 2, 2018 – March 23, 2019 and April 21 – 22, 2019. That means the attack vector went unnoticed for almost a year — that is a lot of time for someone to mass-download and abuse the data. There is no mention of how many users are affected.
Since the passwords were stored as a cyrptographic hash, it would take large computing power to de-crypt the passwords. However it is still possible with time. And for these reasons, Flipboard is forcing all users to update their passwords the next time they log in.
If you use the same password across different accounts, now would be a good time to change your passwords and look into getting a password manager. Once your data is out there, there is no getting it back.
In addition, if you signed into Flipboard using a third-party account such as Google or Facebook, the token used to sign in was also accessible. However, Flipboard did say “We have not found any evidence the unauthorized person accessed third party accounts connected to users Flipboard accounts.”
This is yet another security breach in the bag of security mishaps this year.