Published on May 30th, 2019 📆 | 8227 Views ⚑
0Prolonged Flipboard breach incident could make some users flip their lids
An unauthorized party accessed databases belonging to news and social network aggregation service Flipboard and possibly stole copies of certain usersâ information.
The illegal activity took place over a nearly 10-month span from June 2, 2018 through March 23, 2019, then paused before resuming on April 21 and 22 of this year, according to an online notification posted by Palo Alto, California-based Flipboard, which delivers content via its own app and website.
âOn April 23, 2019, our engineering team identified the unauthorized activity that occurred on April 21-22, 2019. At that time, we were investigating the suspicious activity that occurred on March 23, 2019,â the notification states.
Flipboardâs services are used by a reported 150 million visitors per month. It is currently unclear how many its users were affected in the incident, but the company has confirmed that exposed information includes names, usernames, salted and hashed passwords, and, for a subset of victims, email addresses and digital tokens that link third-party online accounts to their Flipboard accounts.
Passwords that were created or changed after March 14, 2012 are protected with bcrypt, while older passwords are protected with SHA-1. Nevertheless, Flipboard is still requiring users to change their credentials the next time they attempt to log in. The company has decided not to force an immediate update by automatically logging out users, however.
The company also says it disconnected and then replaced or deleted all digital tokens in response to the incident, even though there is no evidence that the perpetrator accessed any third-party accounts linked with Flipboard.
Flipboard does not collect highly sensitive PII such as Social Security numbers, government-issued IDs and financial information.
To prevent a repeat of this incident, the company says âwe implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems.â Flipboard also has engaged with both law enforcement and an external security firm.
But Kevin Gosschalk, CEO at Arkose Labs, suggested that itâs a case of too little, too late. âProactive security measures need to be in place at all times to protect the enterprise attack surface and to secure the sensitive data it collects,â said Gosschalk, in emailed comments. âFlipboard did not have enough insight into their systems to determine that⌠usersâ data was exposed to hackers for nine months,â and now that information can potentially âbe weaponized in future account takeover attacks.â
Asaf Hecht, cybersecurity researcher at CyberArk, said the prolonged breach is a âperfect example of the meticulous and patient nature of todayâs cyber attackers and how organizations miss multiple opportunities to thwart attacks across the cyber kill chain.â The months that the hacker spent hidden on Flipboardâs network âis typically used to conduct reconnaissance to identify a companyâs most valued data and plot pathways that go around existing security systems. This period of reconnaissance and lateral movement is a critical part of the cyber kill chain when attacks can be mitigated before causing damage.â
Terry Ray, SVP and fellow at Imperva, remarked that while modern data repositories offer an array of enticing benefits to user organizations, they also âintroduce complexities and requirementsâ that require a skilled technical staff to manage responsibly. âIt is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldnât happen,â said Ray.
âThat said, Flipboard was doing something right: not storing passwords in plaintext,â Ray continued. Hashing and salting makes it âincredibly difficult for attackers to obtain your password.â
Casey Ellis, CTO and founder of Bugcrowd, also praised Flipboard for its response upon discovery of the intruder. âOnce it identified the breach, it reacted quickly, rotating user passwords and launching an investigation,â he said. âAlthough nine months is a long time to have a bad guy in your network, this incident demonstrates both how common the opportunity for an attacker to enter a network is and how difficult it is to identify the problem once theyâre entrenched.â
Gloss