Flipboard, a social sharing site and news aggregator, has reset millions of user passwords after hackers gained access to its systems several times over a nine-month period. The company confirmed in a notice Tuesday that the hacks took place between June 2, 2018 and March 23, 2019 and a second time on April 21-22, 2019, but the intrusions were only detected a day later, on April 23. Hackers stole usernames, email addresses, passwords and account tokens for third-party services. According to the notice, “not all” Flipboard users’ account data were involved in the breaches, but the company declined to say how many users were affected. Flipboard has about 150 million monthly users. Although the passwords were unreadable, Flipboard said passwords prior to March 14, 2012 were scrambled using the older, weak hashing SHA-1 algorithm. Any passwords changed after are scrambled using a much stronger algorithm that makes it far more difficult to reveal in a usable format. The hacks also exposed account tokens, which gives Flipboard access to data from accounts on other services, like Facebook, Google and Samsung.
https://twitter.com/campuscodi/status/1133528551175708679
Experts Comments:
Ben Goodman, VP of Global Strategy and Innovation at ForgeRock:
“Data theft and cyber-attacks represent the number four and five global risks facing organizations across every vertical according to the World Economic Forum’s 2019 Global Risks Report. That being said, companies must be more prepared to defend user data from malicious outsiders, or suffer the consequences of lawsuits, sanctions from data privacy laws, decreased user trust, tarnished brand reputation, damaged investor relations and more. In fact, First American Title Company has already had a nationwide class action lawsuit filed against it after it failed to secure 885 million records of customer data last week.
Unfortunately, the fact that Flipboard was breached for at least nine months is not that uncommon as companies can go for years before learning about unauthorized access. Users that received a notice about the breach from Flipboard should immediately change their login credentials across all accounts that use the same email, username and/or passwords to prevent the success of potential credential stuffing attacks.
Organizations like Flipboard that rely heavily on improving user experience are tasked with striking the right balance between security and customer choice to deliver the most secure and meaningful experience across all digital touch-points. Solutions leveraging intelligent contextual authentication can assist these organizations by allowing them to utilize device, contextual and behavioral analytics, user choice and risk-based factors as authentication while maintaining compliance. This allows for increased user adoption rates and improves the customer experience all while redirecting suspicious users for further monitoring.”
Terry Ray, SVP at Imperva:
“Organisations that want or need to collect private data on individuals must accept the responsibility for protecting that data. When housing data in a cloud environment, businesses often unintentionally leave databases vulnerable and these back to back breaches highlight how modern data repositories have created a fundamental conflict in businesses.
“Modern data repositories can often provide cost savings, business intelligence, information sharing and increased technology scale, yet they also introduce complexities and requirements which often require advanced enablement of technical staff before their use. It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen.
“That said, Flipboard was doing something right: not storing passwords in plaintext. Flipboard smartly stores passwords either hashed or uniquely salted meaning that it is incredibly difficult for attackers to obtain your password.”
Robert Prigge, President at Jumio:
“It looks like Flipboard is following the standard breach recourse playbook. After some portion of their 150 million users had their usernames, email addresses, passwords and account tokens for third-party services stolen, Flipboard is now resetting the passwords for all their users and replacing/deleting all digital tokens. This is obviously a smart initial move, but the larger, more important question is why continue to rely on usernames and passwords? Every time there’s a data breach, more of our personal data creeps into the Dark Web where it can be bought and sold for pennies. It’s time to abandon this archaic practice and embrace biometric-based authentication, and consumers are already aching for companies to make the move. Increasingly, we are using our face to unlock our phones, so it only makes sense to rely on our phones to unlock our accounts — and keep the fraudsters out of them.”
Jonathan Olivera, Threat Analyst at Centripetal:
Flipboard is yet another platform with a large following of 150 million users a month that hackers will look to compromise. Flipboard let their users down by using an outdated SHA-1 hashing algorithm to store user passwords. I would predict that those hashes were not salted which would prevent a rainbow table attack meant to be used against weak hashing algorithms.
This breach is representative of many companies that think this type breach will not happen to them. The truth of the matter may be that many companies like Flipboard are potentially already breached but do not have the means of finding out or lack the knowledge to identify their weak points. In this environment, the reactive approach to security just lets the world know the current status quo of tech giant’s security standards in 2019.
Martin Jartelius, CSO at Outpost24:
“This is concerning, not only due to the very prolonged initial breach, but also due to the fact that we are now almost two months past the end of that initial breach, and one month past the second breach. The main risk for users here is the connection between their identity and a potentially re-used password – there are tools available for hackers to attempt to analyze the protected passwords to break weaker passwords, then testing those retrieved credentials against a large set of popular online services. So for any user re-using your passwords – firstly stop doing so, and secondly, ensure that you change the password on any sites where your Flipboard password could have been reused. If this was your email, also ensure you still have control of all your online accounts.”
Kevin Gosschalk, CEO at Arkose Labs:
“Proactive security measures need to be in place at all times to protect the enterprise attack surface and to secure the sensitive data it collects. Flipboard did not have enough insight into their systems to determine that 150 million users’ data was exposed to hackers for nine months. The information hackers had access to during that time, including Flipboard usernames, cryptographically protected passwords and email addresses, can now be weaponized in future account takeover attacks.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.