Social magazine service Flipboard Inc. has been hacked, with the details of most but not all of its 150 million registered users stolen.

The hack, disclosed Tuesday, was possibly multiple hacks with the company saying that “some of our databases containing certain Flipboard users’ account information” occurred between June 2, 2018, and March 23, 2019, and April 21 to 22, 2019.

The information stolen included names, usernames, email addresses and hashed passwords. Flipboard, while failing to use the words “hack” and “hacked” in its “notice of security incident” advisory, wasn’t shy in emphasizing that the stolen passwords were “cryptographically protected” using a combination of salting and encryption.

While sounding great in theory, the company then went on to admit that the encryption involved bcrypt for users who signed up prior to March 2012 and SHA-1 for later users. Both are legacy encryption standards and can be fairly easily hacked.

Putting aside that most Flipboard users have probably had their passwords stolen, it gets worse. Flipboard warned that those behind the “security incident” also stole access tokens used by users to connect to their Flipboard account using social media sites.

Potentially that means those behind the hack could also possibly have access to user accounts on any site Flipboard users have accessed via social media logins such as signing in with Facebook.

Kevin Stear, lead threat analyst at JASK Inc., told SiliconANGLE that the Flipboard hack is another sign of the continuing value and utilization of compromised credentials in the criminal underground.

“We’re consistently seeing compromised credentials weaponized in a number of different campaigns, from well-crafted social engineering APT attacks to context aware (i.e., replying to a thread) phishes for commodity crimeware malware such as Emotet to credential stuffing campaigns against victim DMZ infrastructure,” Stear explained. “Until organizations put holistic safeguards in place (that end users accept) to better protect against credential and data theft, bad actors will continue to prey on vulnerable entities in hopes of compromising information they can use to line their pockets.”

Ben Goodman, vice president of global strategy and innovation at ForgeRock Inc., noted that the fact that Flipboard was breached for at least nine months is not that uncommon.

“Users who received a notice about the breach from Flipboard should immediately change their login credentials across all accounts that use the same email, username and/or passwords to prevent the success of potential credential stuffing attacks,” Goodman advised.

Image: Flipboard