The news aggregator Flipboard announced that it suffered a breach, unauthorized users had access to some databases storing user account information.

The news and social media aggregator Flipboard disclosed on Tuesday that it suffered a breach, unauthorized users had access to some databases storing user information.

Hackers had access to the company systems between June 2, 2018, and March 23, 2019, and again on April 21-22, 2019. On April 23, the internal staff noticed suspicious activity in its infrastructure.

“We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials,” reads the incident notice published by Flipboard. “In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.”

Flipboard have more than 145 million users and hackers have exfiltrated their data. Stolen records include names, usernames, password hashes, email addresses, and for some users digital tokens used to access Flipboard through third-party services.

Flipboard said that most of the passwords were hashed with bcrypt, while the passworts for users that have not logged into their account since March 14, 2012, were protected with SHA-1 hashing algorithm and uniquely salted.

Flipboard has not found any evidence the hackers accessed third-party accounts connected to users’ accounts, anyway as a precaution, the company replaced or deleted all digital tokens. At the time it is not clear the extent of the breach, anyway, the company forced a password reset for all its users.

The news aggregator pointed out that it does not collect users’ data, this means that the data breach did not expose sensitive data.

“Notably, Flipboard does not collect from users, and this incident did not involve, government issued IDs (such as Social Security numbers or driver’s license numbers), or payment card, bank account, or other financial information.” continues the security notice.

Flipboard reported the incident to the authorities and hired a security firm to help with the investigation.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini