Flipboard has reset millions of customer passwords after hackers gained unauthorised access to user data for nine months.
The social sharing site, which has around 150 million monthly users, confirmed the breach in a statement on Tuesday – revealing that the repeated hacks took place between the 2nd of June 2019 and 23rd March 2019.
Flipboard also detected a hack for a second time, which took place between 21st and 22nd April 2019. However, these intrusions were detected less than one day later on the 23rd of the month.
User data, including email addresses, passwords and usernames were stolen by the hacker(s), the company confirmed. Additionally, account tokens for third-party services were also stolen.
“We’re still identifying the accounts involved and as a precaution, we reset all users’ passwords and replaced or deleted all digital tokens,” the company said in a statement.
Flipboard sought to calm fears over stolen account tokens, which gives the company access to data from user accounts on alternative services. These services include Facebook, Google and Samsung.
“We have not found any evidence the unauthorised person accessed third-party accounts(s) connected to users’ Flipboard accounts,” the statement read.
Flipboard has cryptographically protected user passwords using a technique known as ‘salted hashing’. The company insisted that the benefit of hashing passwords is that “we never need to store the passwords in plain text.”
User passwords stolen in the breach are unreadable, Flipboard confirmed that passwords created before March 2012 used a weaker hashing SHA-1 algorithm. Passwords created or changed after this point were scrambled using a far more secure algorithm, making it far more difficult for the hacker(s) to gain access.
“Using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords,” the company explained. “If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt.”
“If users have not changed their password since then, it is uniquely salted and hashed with SHA-1,” the statement added.