Flipboard, a social sharing site and news aggregator, has reset millions of user passwords after hackers gained access to its systems several times over a nine-month period. The company confirmed in a notice Tuesday that the hacks took place between June 2, 2018 and March 23, 2019 and a second time on April 21-22, 2019, but the intrusions were only detected a day later, on April 23. Hackers stole usernames, email addresses, passwords and account tokens for third-party services. According to the notice, “not all” Flipboard users’ account data were involved in the breaches, but the company declined to say how many users were affected. Flipboard has about 150 million monthly users. Although the passwords were unreadable, Flipboard said passwords prior to March 14, 2012 were scrambled using the older, weak hashing SHA-1 algorithm. Any passwords changed after are scrambled using a much stronger algorithm that makes it far more difficult to reveal in a usable format. The hacks also exposed account tokens, which gives Flipboard access to data from accounts on other services, like Facebook, Google and Samsung.
Ben Goodman, VP of Global Strategy and Innovation at ForgeRock:
“Data theft and cyber-attacks represent the number four and five global risks facing organizations across every vertical according to the World Economic Forum’s 2019 Global Risks Report. That being said, companies must be more prepared to defend user data from malicious outsiders, or suffer the consequences of lawsuits, sanctions from data privacy laws, decreased user trust, tarnished brand reputation, damaged investor relations and more. In fact, First American Title Company has already had a nationwide class action lawsuit filed against it after it failed to secure 885 million records of customer data last week.
Unfortunately, the fact that Flipboard was breached for at least nine months is not that uncommon as companies can go for years before learning about unauthorized access. Users that received a notice about the breach from Flipboard should immediately change their login credentials across all accounts that use the same email, username and/or passwords to prevent the success of potential credential stuffing attacks.
Organizations like Flipboard that rely heavily on improving user experience are tasked with striking the right balance between security and customer choice to deliver the most secure and meaningful experience across all digital touch-points. Solutions leveraging intelligent contextual authentication can assist these organizations by allowing them to utilize device, contextual and behavioral analytics, user choice and risk-based factors as authentication while maintaining compliance. This allows for increased user adoption rates and improves the customer experience all while redirecting suspicious users for further monitoring.”
“Organisations that want or need to collect private data on individuals must accept the responsibility for protecting that data. When housing data in a cloud environment, businesses often unintentionally leave databases vulnerable and these back to back breaches highlight how modern data repositories have created a fundamental conflict in businesses.
“Modern data repositories can often provide cost savings, business intelligence, information sharing and increased technology scale, yet they also introduce complexities and requirements which often require advanced enablement of technical staff before their use. It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen.
“That said, Flipboard was doing something right: not storing passwords in plaintext. Flipboard smartly stores passwords either hashed or uniquely salted meaning that it is incredibly difficult for attackers to obtain your password.”
“It looks like Flipboard is following the standard breach recourse playbook. After some portion of their 150 million users had their usernames, email addresses, passwords and account tokens for third-party services stolen, Flipboard is now resetting the passwords for all their users and replacing/deleting all digital tokens. This is obviously a smart initial move, but the larger, more important question is why continue to rely on usernames and passwords? Every time there’s a data breach, more of our personal data creeps into the Dark Web where it can be bought and sold for pennies. It’s time to abandon this archaic practice and embrace biometric-based authentication, and consumers are already aching for companies to make the move. Increasingly, we are using our face to unlock our phones, so it only makes sense to rely on our phones to unlock our accounts — and keep the fraudsters out of them.”
Flipboard is yet another platform with a large following of 150 million users a month that hackers will look to compromise. Flipboard let their users down by using an outdated SHA-1 hashing algorithm to store user passwords. I would predict that those hashes were not salted which would prevent a rainbow table attack meant to be used against weak hashing algorithms.
This breach is representative of many companies that think this type breach will not happen to them. The truth of the matter may be that many companies like Flipboard are potentially already breached but do not have the means of finding out or lack the knowledge to identify their weak points. In this environment, the reactive approach to security just lets the world know the current status quo of tech giant’s security standards in 2019.
“This is concerning, not only due to the very prolonged initial breach, but also due to the fact that we are now almost two months past the end of that initial breach, and one month past the second breach. The main risk for users here is the connection between their identity and a potentially re-used password – there are tools available for hackers to attempt to analyze the protected passwords to break weaker passwords, then testing those retrieved credentials against a large set of popular online services. So for any user re-using your passwords – firstly stop doing so, and secondly, ensure that you change the password on any sites where your Flipboard password could have been reused. If this was your email, also ensure you still have control of all your online accounts.”
“Proactive security measures need to be in place at all times to protect the enterprise attack surface and to secure the sensitive data it collects. Flipboard did not have enough insight into their systems to determine that 150 million users’ data was exposed to hackers for nine months. The information hackers had access to during that time, including Flipboard usernames, cryptographically protected passwords and email addresses, can now be weaponized in future account takeover attacks.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.