Cyber Incident Victim: Flipboard

Flipboard identified unauthorized access to databases containing certain user account information, which occurred in two distinct periods between June 2, 2018, and March 23, 2019, and again on April 21–22, 2019. The company discovered the April 2019 intrusion on April 23 while investigating suspicious activity from March 23. The compromised databases held names, Flipboard usernames, cryptographically protected passwords, email addresses, and digital tokens for third-party account linkages. Passwords were secured using salted hashing—bcrypt for accounts created or updated after March 14, 2012, and uniquely salted SHA-1 for older unchanged passwords. Digital tokens enabled connections to social media or publisher accounts but did not grant access to financial data, government IDs, or third-party account credentials. Flipboard confirmed no evidence of unauthorized third-party account access through these tokens.

Upon detection, Flipboard initiated an investigation with an external security firm and implemented immediate containment measures. The company reset all user passwords as a precaution, despite not all accounts being confirmed as compromised, and invalidated all digital tokens linked to third-party services. Enhanced security protocols were deployed across systems, though specific technical details were withheld. Law enforcement was notified, and users received email instructions for password resets and social media account reconnections. The password reset process required users to authenticate via email, with platform-specific guidance provided for iOS, Android, and web interfaces. Flipboard emphasized that financial data remained unaffected and reiterated its practice of avoiding plaintext password storage. The incident response concluded with token replacements, system hardening, and user notifications, though the total number of affected accounts remained undetermined at the time of disclosure.