Flipboard has been targeted by hackers, prompting the company to perform a password reset for its community of around 145 million users.
Upon learning of the hack, the Palo Alto, California-based social media and news aggregator informed law enforcement and also contacted an external security firm. Investigators confirmed that hackers had “accessed and potentially obtained copies of certain databases containing Flipboard user information” between June 2, 2018 and March 23, 2019, and also on April 21 and 22, 2019.
The stolen information extended to some users’ account information, including names, Flipboard usernames, cryptographically protected passwords, and email addresses.
Flipboard uses a technique called “salted hashing” to improve the security of users’ passwords, and the company confirmed that no passwords had been stored in plain text.
It said, however, that as a precautionary measure it had decided to reset all users’ passwords.
“When you access your Flipboard account from a new device, or the next time you log into Flipboard after logging out of your account, you will be asked to create a new password,” the company explained in a message on a special webpage offering updates on the security breach. If your original Flipboard password is the same for any other online services that you use, you’re urged to change it for those services, too.
The company added that if anyone connected their Flipboard account to a third-party account — including social media accounts — then the databases may have contained digital tokens for connecting their Flipboard account to that third-party account. The company said it hasn’t found any evidence of the hackers accessing any third-party account connected to users’ Flipboard accounts. But, erring on the side of caution, it has decided to replace or delete all digital tokens, meaning you’ll have to reconnect Flipboard to those services. Details on how to do so can be found on this Flipboard webpage, which also contains an extensive FAQ section related to the breach.
Flipboard said it’s still identifying precisely which user accounts were caught up in the hack. It was also keen to point out that it holds no information such as Social Security numbers, bank account, credit card, or other financial information, and therefore such data was not involved in the hack.
The company assured users that it has already implemented “enhanced security measures” to prevent a similar kind of incident from occurring in the future.
The incident is just the latest in a string of online security incidents that have come to light in recent months, with Facebook, 500px, and Quora among those targeted.