Flipboard, the hugely popular news aggregation app has been hacked. Twice.
The company announced yesterday that two separate breaches exposed user account information – the first for a period of about nine months. The app is used by 150 million people each month.
Flipboard said the first intrusion took place between June 2018 and March 2019, and the second between April 21 and 22, 2019. The company says law enforcement has been notified and an outside security firm has been hired to investigate the hack.
Apparently not all user accounts were affected, but Flipboard hasn’t made it clear yet how many were.
What’s been lost?
According to Flipboard the compromised databases hold account credentials including usernames, actual names, hashed or cryptographically protected passwords, and email addresses.
As in yesterday’s blog about the attack on Canva, the passwords copied by the hackers were ‘hashed’ or scrambled in a way that stops them being read by humans – only the machines at either end of the login know the cryptographic ‘key’ that opens them.
It means even Flipboard wouldn’t have been able to see them, and makes unlocking them a difficult proposition for any attacker.
Not impossible though. With time and resources it’s safe to assume that the hashing algorithm could be cracked. Flipboard has also admitted that any passwords created by users before March 2012 are protected by a much weaker hashing algorithm.
Social media tokens, used to let users logon to Flipboard using their social media credentials, may also have been stored in those databases.
Grading the company’s reaction
Taking a double hit from hackers isn’t great news and the first one in 2018 was obviously missed. When Flipboard discovered the breach in April however it immediately engaged outside experts and launched an investigation.
There was a delay before informing its users, but it’s important in the early days following a breach to investigate properly. Any company suffering a breach needs to understand exactly what data may have been lost or damaged.
Sometimes when a breach is discovered the hacker is still logged into the system, so investigators will take time to quietly observe their movements on the network and better understand their behaviour, interest, and intent.
Despite passwords being hashed, Flipboard proactively took the extra precaution of re-setting all user passwords. It has also replaced or deleted all digital tokens just in case third-party or social media accounts have been copied by the attackers.
Overall we’d say Flipboard’s response is a good one. They look to have been rigorous, acted quickly, and communicated well. Account holders have been notified by email with details of the breach. And law enforcement has been alerted.
Ideally there would be clarity on the issue of whether or not social media tokens were exposed, and the exact number of users affected.
From our perspective, 4 stars out of 5.
What should users do?
- If you’re a Flipboard user you’ll still have access to your account. Go to the login page and you’ll be prompted to reset your password.
- Cybercriminals know that many people use the same or similar credentials for numerous online services. If that describes you, now would be a very good time to re-set all duplicate passwords, particularly those on accounts that have financial or other sensitive information.
- If you’ve been using social media credentials like Facebook or Twitter to login to Flipboard you should be fine. Flipboard has reset all its third-party digital tokens. You may need to re-connect your social media account to Flipboard now that they’ve made that precautionary change.
Another day, another breach
It’s easy to become blasé about data breaches. We’ve seen two majors this week and who knows – more could land before Friday.
When hackers try to harvest data in bulk like its usually login information they want. They’ll use credentials to try and gain access to bank accounts, or find a way in to the places on corporate keyworks where the most valuable proprietary information is held.
Re-setting passwords on a regular basis, or using strong passwords generated by a security program (or even your web browser’s password generating function) won’t stop your data from being lost but as precautionary measure they’ll make your personal info that much harder to steal.
Because passwords are structurally weak, the world is slowly moving beyond username & password as the access method for online services.
- Two-factor authentication is becoming more and more common. Unlike the password/userid combo, two-factor authentication requires two different kinds of identity proof, for example combining a password with a code texted to your mobile phone.
- Using memory sticks as a physical key to gain access to a device or online service is already common in professional environments.
- Apple and Samsung are working hard to make biometrics a standard security feature in smartphones and tablets.
These are the better alternatives. Biometrics and two-factor are slowly moving toward mass adoption, but they still need time.
From a cybersecurity perspective it can’t happen fast enough.