A security incident in the Flipboard news application allowed malicious users to access the company’s systems for more than nine months; According to specialists in the IICS’s information security course, developers have already begun to notify the impacted users.
In the notification that the affected users
have received, Flipboard mentions that the threat actors obtained access to the
databases that the company used to store the users’ information.
Experts from the IICS information security
course affirm that the compromised databases stored information such as:
- Username
- Platform’s
passwords - Email
address (only in some cases) - Digital
tokens linking the Flipboard account with third party services
Despite the seriousness of the incident,
apparently not everything is bad news, as the company applied the hashing
algorithm Bcrypt
for most of the passwords of its users; Specialists from the International Institute
of Cyber Security (IICS) consider this to be a very difficult security measure
to break.
In its security alert, Flipboard clarifies that
some passwords were protected with an algorithm that is considered less secure
(SHA-1), although they are few compared to passwords protected with Bcrypt.
“If your account was created or your password was restored after March
2012, your password is protected with Bcrypt; on the other hand, passwords that
have not been updated since that date are protected with SHA-1”, the
company mentions.
The company argues that hackers were unable to
access all user accounts, although the exact amount of compromised Flipboard
users is still unknown. “We continue our research to determine the total
number of affected users”, the company mentions.
Although the company acted proactively using the
Bcrypt algorithm, experts from the information security course consider this
incident to have been much more serious, as hackers managed to remain in the
corporate networks for almost a year, between June 2018 and April 2019. After
detecting the intrusion, Flipboard developers began their risk mitigation
process and informed the authorities.
