UPDATED 23:13 EDT / MAY 29 2019

SECURITY

User data including poorly encrypted passwords stolen in hack of Flipboard

Social magazine service Flipboard Inc. has been hacked, with the details of most but not all of its 150 million registered users stolen.

The hack, disclosed Tuesday, was possibly multiple hacks with the company saying that “some of our databases containing certain Flipboard users’ account information” occurred between June 2, 2018, and March 23, 2019, and April 21 to 22, 2019.

The information stolen included names, usernames, email addresses and hashed passwords. Flipboard, while failing to use the words “hack” and “hacked” in its “notice of security incident” advisory, wasn’t shy in emphasizing that the stolen passwords were “cryptographically protected” using a combination of salting and encryption.

While sounding great in theory, the company then went on to admit that the encryption involved bcrypt for users who signed up prior to March 2012 and SHA-1 for later users. Both are legacy encryption standards and can be fairly easily hacked.

Putting aside that most Flipboard users have probably had their passwords stolen, it gets worse. Flipboard warned that those behind the “security incident” also stole access tokens used by users to connect to their Flipboard account using social media sites.

Potentially that means those behind the hack could also possibly have access to user accounts on any site Flipboard users have accessed via social media logins such as signing in with Facebook.

Kevin Stear, lead threat analyst at JASK Inc., told SiliconANGLE that the Flipboard hack is another sign of the continuing value and utilization of compromised credentials in the criminal underground.

“We’re consistently seeing compromised credentials weaponized in a number of different campaigns, from well-crafted social engineering APT attacks to context aware (i.e., replying to a thread) phishes for commodity crimeware malware such as Emotet to credential stuffing campaigns against victim DMZ infrastructure,” Stear explained. “Until organizations put holistic safeguards in place (that end users accept) to better protect against credential and data theft, bad actors will continue to prey on vulnerable entities in hopes of compromising information they can use to line their pockets.”

Ben Goodman, vice president of global strategy and innovation at ForgeRock Inc., noted that the fact that Flipboard was breached for at least nine months is not that uncommon.

“Users who received a notice about the breach from Flipboard should immediately change their login credentials across all accounts that use the same email, username and/or passwords to prevent the success of potential credential stuffing attacks,” Goodman advised.

Image: Flipboard

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.