Flipboard joins the list of companies that acknowledge having suffered a security breach, and this time not only recognizes that data such as names, user names and encrypted passwords (no identity documents, cards or bank accounts) were exposed, but an unauthorized person had access to them and was probably made with copies of databases with information about service users.
According to Flipboard, this information to which the person could have access contained data between June 2, 2018, and March 23, 2019, and between April 21 and 22, 2019. The problem was identified on April 21, while investigating suspicious activity on March 23, 2019. Flipboard has notified the authorities, something mandatory with the RGPD.
The passwords were cryptographically protected, but still, they ask you to change it
While recognizing the breach and the malicious access of the person, Flipboard says that the passwords were protected by salted hashing, whose advantage is, as we know, that in no case is it necessary to store them in plain text, and that deciphering them is a very complex task. Passwords that have not been changed since March 14, 2012, have salt and hash protection with SHA-1, while those that have been established since that time use a hash algorithm with the crypt function.
Flipboard is more cautious when talking about access to third-party accounts (typical with Gmail, Facebook, Twitter, etc.), whose tokens could be in the exposed databases, and which could have been used to access reader accounts of news. However, they claim that they have not found evidence that there has been unauthorized access by the person who made the databases. To prevent subsequent evils, Flipboard ensures that they have replaced or eliminated such digital tokens.
The next time Flipboard users access the service, they will need to change their password, as they will ask for it compulsorily or, in the case of having accessed with third-party accounts, re-granting Flipboard access to their start date. session. The company offers on its help page more information for the reset of the password.