When a news aggregator app becomes a part headline news, that only means trouble, a lot of trouble. Flipboard, a mainstream news aggregator app with 500 million+ downloads with at least 150-million unique active users monthly from the Google Play Store alone disclosed that their user account information database fell for a massive data breach that started 9-months ago. The app’s developers tried to download the gravity of the data breach, as they claim that no financial or social security data was included in the data breach, with only the Flipboard user account, login passwords (properly hashed and salted) and user’s email address was stolen from their system.
“We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist,” explained Flipboard’s developers in their official blog post.
As per Flipboard’s disclosure, the unknown 3rd parties got access privilege to their user account database since June 2, 2018, to March 23, 2019. Additionally, another similar data breach campaign against the app also happened between April 21, 2019, until April 22, 2019. Upon initial inspection of the database, Flipboard confirmed that the unauthorized parties were able to steal information from their system during the period mentioned. The developers also admitted that prior to March 14, 2012 update, Flipboard was using a weaker encryption system for user’s login credentials which means that older users of the app are much more vulnerable to identity theft due to the data breach.
“To help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. We also notified law enforcement. You can continue to use Flipboard without further action. However, next time you log into your account, you will notice your Flipboard account password needs to be updated. You will find instructions on our support page explaining how to create a new password,” added Flipboard developers.
Flipboard organized a team to conduct internal forensic checks after the discovery of the breach, however, it took them a while to inform the potentially affected users. At the time of this writing, all users of Flipboard already received an email from the app’s developers providing more specific information about the incident. Password change is also mandatory for all current users, and the app developers are strongly recommending to use a unique password exclusively for Flipboard, as recycling the same password across multiple sites often increases users’ to further risk to identity theft.
“We want you to be confident that the email notification you may receive is from Flipboard. The email will come from the following email address: email@example.com. Please note that the email you may receive from us will not contain any attachments or request any information from you, and any links will only bring you back to this webpage,” concluded Flipboard developers.