Flipboard resets user passwords after recent data breach
data breachon the platform.
- The news aggregator did not disclose how many accounts had been affected by the vulnerability.
- Users have been asked to check their accounts and set up new passwords.
The app has over one million downloads in Google Play Store but the company has not disclosed how many users were actually affected — just that, not everyone was exposed.
As a precaution, we have reset all users’ passwords, even though the passwords were cryptographically protected and not all users’ account information was involved.
Flipboard assured users that until now, they haven’t found evidence that the data breach led to the hacker gaining access to any of the third party accounts — like Facebook, Google and Twitter — which are linked with Flipboard user’s accounts.
We deeply regret this incident happened. For more information and answers to frequently asked questions, we have created a support page with more details about the incident.
How much data was exposed?
According to Flipboard, they identified that somebody had gained unauthorised access to their databases, which contained user account information and credentials.
On discovering the breach, the American tech start up launched an investigation and hired an external security firm to find out what had happened.
Their inquiry revealed that the data breach happened between June 2, 2018 to March 23, 2019 and April 21-22, 2019.
Flipboard’s third party login feature has been around since 2015. It allows users to sign up for the news service using Google, Facebook or Twitter. During the data breach, hackers were able to access the digital tokens that connect Flipboard to third party accounts.
Before the data breach was caught, hackers would have had the option to use the tokens to make changes to a user's account and invite new people on to the platform without the user’s consent. But, Flipboard claims that in the course of their investigation, they found no evidence that hackers had actually done so.
(Data breach) potentially may have allowed the unauthorized person to read or make posts and messages on the account and access some user account information, such as user name, profile information, posts to the site, and connections. In some cases, this access also allowed changes to this information, such as inviting new people to connect.
At the end of the day, as long as users change their password and re-authorize any third party account access — the old digital tokens won’t be of any use to the hackers.