back to article News aggregator app Flipboard hacked: All passwords reset after hackers pinch user data

News aggregation app Flipboard has publicly confessed that hackers accessed personal data about its members. Although the biz did not say how many customers had been affected, the app has been installed more than half a billion times, according to its Google Play Store listing. The databases that got away, according to a …

  1. rmason Silver badge

    Not just hacked

    Not just hacked, but left compromised for, what, 11 months?

    Jeebus.

    They will have taken absolutely everything they wanted, and/or absolutely everything that was available.

  2. Hans Neeson-Bumpsadese Silver badge

    Over half a billion installs

    Perhaps, but if it's the app I'm thinking of it came prei-nstalled on my last phone and one of the first things I did was disable it because it was annoying. I suspect there may be many cases like me, so installed numbers doesn't necessarily equate to registered users.

    1. Anonymous Coward
      Anonymous Coward

      "it came prei-nstalled on my last phone and one of the first things I did was disable it "

      So what? I note that you didn't say you uninstalled it.

      *You* may not be able to make use of the "disabled" app but why do you think the functionality it provided (and the hackability?) won't be available to other apps on the same phone?

      Just askin for a friend...

      1. Hans Neeson-Bumpsadese Silver badge

        The app could be disabled, but I struggled to fin d away to install it - the phone manufacturer seemed to have baked it in to their Android installation

        I never created a user account or anything, so I don't see a danger of any apps using it in the background and doing anything that would cause any risk with my identity seeing as I never provided one to the app in the first place

  3. Tigra 07 Silver badge

    Flipboard was once installed on Samsung phones by default, so this may be one reason why it has so many installs. Other manufacturers may have also made deals like this. As i remember Flipboard was terrible.

    1. GnuTzu Silver badge

      "...by default."

      This is the sort of thing that ticks me off an an infosec person. Normally, I'd say no big loss for a compromised account on a news aggregator--assuming all that was stored was username, password, and subscribed lists. But, if that thing ties back to a phone app that would risk compromising the entire phone, then time to wipe the entire phone.

      1. Tigra 07 Silver badge
        Meh

        RE: GnuTzu

        I guess it depends on whether people ever used the app or not and created an account. I did, and now my details may be compromised. I may not have ever used it if it wasn't installed by default.

  4. nagyeger

    not just phones

    I've got a sammy tablet that has it pre-installed. I've not knowingly associated any ID with it, but it's still bugging me with news clips, etc, and who knows what permissions Samsung decided it ought to have.

  5. Claptrap314 Silver badge

    So...institutionally insecure?

    Let's see. In April of 2010, they move from SHA-1 to bcrypt as their password hash. Thier options follow:

    1) Add a bit to their user table, indicating old vs new. When a password is updated, keep the same system.

    2) Add a bit to their user table, indicating old vs new. When a password is updated, store in new.

    3) Add a bit to their user table, indicating old vs new. When an old user logs in, force a password update, and store new.

    4) Add a bit to their user table, indicating old vs new. When an old user logs in, use SHA-1 and then bcrypt.

    These guys operating in the EU? GDPR anyone?

    1. Old Bobby
      FAIL

      Re: So...institutionally insecure?

      Or do it right.

      5) Add a bit to their user table, indicating old vs new. Bcrypt the SHA-1 for old passwords. Even works if they forgot to salt their SHA-1. Doesn't require the user to login before it's secured...

    2. Donn Bly

      Re: So...institutionally insecure?

      or

      Add no bit to user table, but expand the password field so that it is large enough to store a bcrypt hash.

      Then, on logon validation, look at the length of the stored hash. If length != 20 ** then assume bcrypt and proceed accordingly, but if length == 20 then assume SHA1, validate against the stored hash, and if it passes updated the stored hash with the bcrypted version of the same value. After a REASONABLE period of time expire and wipe any account still having an SHA1 hash in the database and if the user does comes back make them go through a password reset procedure to establish a new, secure password.

      ** or 40 if storing the hexidecimal string instead of the actual hash.

  6. elvisimprsntr

    Never heard of it!

    1. Wild Elk

      Seriously? Used to come pre-installed on Samsung devices. No idea if they still do as I haven’t owned a Samsung device since S4/Note 3.

  7. Anonymous Coward
    Anonymous Coward

    Ho-hum, another free year's credit monitoring in the offing.

  8. macjules Silver badge

    While we are on the subject ..

    Did anyone else receive a notification from Spotify along the lines of "Oops please would you mind resetting your password, it's nothing to worry about, we just noticed some strange activity on our servers."?

  9. BigAndos

    "half a billion installs" probably about 12 by choice, always had to disable it when getting a new phone!

  10. Bodestone

    Just got my notification from Flipboard

    Terrible lag time on respose to users. OK, others may have been worse but it's still not acceptable.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019