We are writing to let you know about a security incident we recently identified and addressed involving a subset of user data. We know transparency is important to our community, and we want to share with you what we have learned from our investigation, measures we have taken, as well as steps you can take.
We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and between April 21 - 22, 2019.
What information was involved
The databases involved may have contained your name, Flipboard username, cryptographically protected password and email address.
Flipboard has always cryptographically protected passwords using a technique known by security experts as “salted hashing”. The benefit of hashing passwords is that we never need to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these hashed passwords. If you created or changed your password after March 14, 2012, it is hashed with a function called bcrypt. If you have not changed your password since then, it is uniquely salted and hashed with SHA-1.
Additionally, if you connected your Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect your Flipboard account to that third-party account. We have not found any evidence the unauthorized person accessed third-party account(s) connected to your Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens.
Importantly, we do not collect from users, and this incident did not involve, Social Security numbers or other government-issued IDs, bank account, credit card, or other financial information.
What we are doing
As a precaution, we have reset all users’ passwords, even though the passwords were cryptographically protected and not all users’ account information was involved. You can continue to use Flipboard on devices from which you are already logged in. When you access your Flipboard account from a new device, or the next time you log into Flipboard after logging out of your account, you will be asked to create a new password.
As another precautionary step, we disconnected tokens used to connect to all third-party accounts, and in collaboration with our partners, we replaced all digital tokens or deleted them where applicable.
Additionally, to help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. We also notified law enforcement.
What you can do
You can continue to use Flipboard without further action. However, next time you log into your account, you will notice your Flipboard account password needs to be updated. You will find instructions on our support page (linked below) explaining how to create a new password. Also, if you use the same username and password you created for Flipboard for any other online service, we recommend you change your password there, too.
If you connected your Flipboard account to a third-party account to see its content, you may notice in some cases that you need to reconnect it. On our support page you will also find instructions for how to do this.
Where to find more information
We deeply regret this incident happened. For more information and answers to frequently asked questions, we have created a support page with more details about the incident
The Flipboard team
Het is natuurlijk knap vervelend dat ze gehackt zijn, maar ze "vergeten" te vermelden dat het salt waarmee de hashes worden gesalt opgeslagen moet worden in dezelfde database als de hashes. Dus eigenlijk nutteloos.
Bcrypt is al een stap vooruit, alleen jammer dat ze zijn blijven hangen bij SHA1 ipv door naar SHA2 of 3.
Ook staat er bij om welk product het gaat wat getroffen is. Dus bijvoorbeeld iOs, maar ook de zeer recente Whatsapp 0day staat netjes vermeld.
De lijst begint in 2014 aangezien Project Zero toen werd opgestart.
HIer is de lijst: https://docs.google.com/s...ajnSyY/htmlview?sle=true#
Dit is een z.g. levend document, dus word actief bij gehouden.