Flipboard, a social sharing site and news aggregator, has reset millions of user passwords after hackers gained access to its systems several times over a nine-month period. The company confirmed in a notice Tuesday that the hacks took place between June 2, 2018 and March 23, 2019 and a second time on April 21-22, 2019, but the intrusions were only detected a day later, on April 23. Hackers stole usernames, email addresses, passwords and account tokens for third-party services. According to the notice, “not all” Flipboard users’ account data were involved in the breaches, but the company declined to say how many users were affected. Flipboard has about 150 million monthly users. Although the passwords were unreadable, Flipboard said passwords prior to March 14, 2012 were scrambled using the older, weak hashing SHA-1 algorithm. Any passwords changed after are scrambled using a much stronger algorithm that makes it far more difficult to reveal in a usable format. The hacks also exposed account tokens, which gives Flipboard access to data from accounts on other services, like Facebook, Google and Samsung.
https://twitter.com/campuscodi/status/1133528551175708679
Experts Comments:
Ben Goodman, VP of Global Strategy and Innovation at ForgeRock:
Unfortunately, the fact that Flipboard was breached for at least nine months is not that uncommon as companies can go for years before learning about unauthorized access. Users that received a notice about the breach from Flipboard should immediately change their login credentials across all accounts that use the same email, username and/or passwords to prevent the success of potential credential stuffing attacks.
Organizations like Flipboard that rely heavily on improving user experience are tasked with striking the right balance between security and customer choice to deliver the most secure and meaningful experience across all digital touch-points. Solutions leveraging intelligent contextual authentication can assist these organizations by allowing them to utilize device, contextual and behavioral analytics, user choice and risk-based factors as authentication while maintaining compliance. This allows for increased user adoption rates and improves the customer experience all while redirecting suspicious users for further monitoring.”
Terry Ray, SVP at Imperva:
“Modern data repositories can often provide cost savings, business intelligence, information sharing and increased technology scale, yet they also introduce complexities and requirements which often require advanced enablement of technical staff before their use. It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen.
“That said, Flipboard was doing something right: not storing passwords in plaintext. Flipboard smartly stores passwords either hashed or uniquely salted meaning that it is incredibly difficult for attackers to obtain your password.”
Robert Prigge, President at Jumio:
Jonathan Olivera, Threat Analyst at Centripetal:
This breach is representative of many companies that think this type breach will not happen to them. The truth of the matter may be that many companies like Flipboard are potentially already breached but do not have the means of finding out or lack the knowledge to identify their weak points. In this environment, the reactive approach to security just lets the world know the current status quo of tech giant’s security standards in 2019.
Martin Jartelius, CSO at Outpost24:
Kevin Gosschalk, CEO at Arkose Labs:
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.