Flipboard Says Hackers Hid In Its Systems For Nine Months
Flipboard, one of the most popular news aggregators in any app store it’s installed from, has been hacked. The investigation is ongoing, but initial indications are that it could have been much, much worse.
This was no smash-and-grab-style attack. Whoever hacked Flipboard operated in the shadows on its networks over the course of nine long months. The company also reported two separate intrusions. The first lasted from June 2, 2018 until March 23, 2019.
The second, on April 21 and 22, finally triggered the alarms.
Flipboard’s official statement on the incident is understandably vague but does offer some important details. Critically, Flipboard does not collect highly sensitive data like social security numbers or payment information from its users.
The databases that were accessed did store users’ email addresses and passwords, but passwords were handled appropriately. Any that were created or changed after March 14, 2012 were protected by the powerful bcrypt hashing function. It could take a moderately powerful system as long as four years to crack a single bcrypt-hashed password.
That should cover the bulk of Flipboard’s users since the app only launched in 2010. Passwords on older accounts were hashed with SHA-1, which is now known to be a poor choice for the task. Fortunately, Flipboard added a unique salt to each. That makes them harder to crack using brute force.
Not all Flipboard use passwords to sign in. Some use their connected Facebook or Google accounts instead. The database that was breached also contained the authentication tokens used to validate those users.
Those are the same kind of tokens that were hijacked in the infamous cyber attacks on Yahoo. The token acts like an access card for a keyless door lock. With a user’s token in hand a hacker doesn’t need to know his or her password. Flipboard invalidated or deleted all existing tokens once it became aware of the breach.
Flipboard is also confident that not all users were impacted by the attacks. An accurate count of the number who were impacted hasn’t been revealed yet. The company also took the precaution of resetting all users’ passwords.
Flipboard has reported the incident to law enforcement officials and continues working with a third party security firm to investigate the attack.