A security incident in the Flipboard news application allowed malicious users to access the company’s systems for more than nine months; According to specialists in the IICS’s information security course, developers have already begun to notify the impacted users.
In the notification that the affected users have received, Flipboard mentions that the threat actors obtained access to the databases that the company used to store the users’ information.
Experts from the IICS information security course affirm that the compromised databases stored information such as:
- Platform’s passwords
- Email address (only in some cases)
- Digital tokens linking the Flipboard account with third party services
Despite the seriousness of the incident, apparently not everything is bad news, as the company applied the hashing algorithm Bcrypt for most of the passwords of its users; Specialists from the International Institute of Cyber Security (IICS) consider this to be a very difficult security measure to break.
In its security alert, Flipboard clarifies that some passwords were protected with an algorithm that is considered less secure (SHA-1), although they are few compared to passwords protected with Bcrypt. “If your account was created or your password was restored after March 2012, your password is protected with Bcrypt; on the other hand, passwords that have not been updated since that date are protected with SHA-1”, the company mentions.
The company argues that hackers were unable to access all user accounts, although the exact amount of compromised Flipboard users is still unknown. “We continue our research to determine the total number of affected users”, the company mentions.
Although the company acted proactively using the Bcrypt algorithm, experts from the information security course consider this incident to have been much more serious, as hackers managed to remain in the corporate networks for almost a year, between June 2018 and April 2019. After detecting the intrusion, Flipboard developers began their risk mitigation process and informed the authorities.