News aggregation platform Flipboard has revealed that it suffered a data breach that went on for nine months.
“We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019,” the company wrote in a statement.
The databases involved in the breach held some users’ account information, including name, Flipboard username, cryptographically protected password and email address. Flipboard has more than 145 million monthly active users, but it didn’t reveal how many accounts have been impacted.
The company explained that if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have also contained digital tokens used to make the connection. While there has been no evidence that the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts, the company has still replaced or deleted all digital tokens as a precaution.
In addition, “we have reset all users’ passwords, even though the passwords were cryptographically protected and not all users’ account information was involved. You can continue to use Flipboard on devices from which you are already logged in. When you access your Flipboard account from a new device, or the next time you log into Flipboard after logging out of your account, you will be asked to create a new password. As another precautionary step, we disconnected tokens used to connect to all third-party accounts, and in collaboration with our partners, we replaced all digital tokens or deleted them where applicable.”
Flipboard has also implemented enhanced security measures to prevent another breach from occurring in the future, and notified law enforcement.