Flipboard suffers data breach, responds expertly

flipboard

Data breaches, sad as it is to say, are a part of corporate life now. Despite the best laid intentions (and expertly designed security systems) no system is truly hack proof. As long as humans have logins, there will be vulnerabilities in sensitive systems. That doesn’t mean you shouldn’t do everything in your power to prevent them, obviously, but it does mean you should have contingency plans for when they do happen. For many, offline, secure backups are a huge part of that puzzle. But, for any consumer- or client-facing company that handles login information or sensitive data from those users or clients, there’s another vital skill-set you should give some thought to: what do you do if your database is compromised. And Flipboard just provided a masterclass in how to handle the worst.

Flipboard breach

Flipboard is a popular news aggregator that proved to be one of the more popular news apps in the App Store when it launched. When Facebook expanded into the genre with its News Feed, a lot of aggregators like Flipboard struggled to maintain users. But as Facebook has faced increased fallout from their privacy blunders — as well as backlash from publishers and readers for no longer sending referral traffic to those publishers — Flipboard has been on a pretty huge upswing of late.

Unfortunately for Flipboard, with that upswing came increased digital snooping, and a breach did indeed occur. According to the company’s public release (for which they built a custom landing page for, replete with every piece of relevant data a user could want), Flipboard:

“… recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.

Flipboard response

Now here’s where Flipboard really shined. The company emailed each affected user directly, telling them in plain english precisely what happened, when it happened, how it happened and how their respective data was involved.

Flipboard went so far as to explain precisely how the user information was stored and encrypted, so their users knew exactly what was going on:

“Flipboard has always cryptographically protected passwords using a technique known by security experts as “salted hashing”. The benefit of hashing passwords is that we never need to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords. If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt.

In addition to providing the specifics of the attack as well as the cryptography and response, Flipboard also posted an FAQ section and contact form to ensure users understand, in plain English, exactly what all this means, what users can do, and what they ought to do in the future.

Of course Flipboard and its users prefer the database hadn’t been hacked, but Flipboard’s response was stellar. The company released all relevant information to every affected user in terms anyone can understand, and their cryptography means even having access to the database might not net the hacker much usable intel — especially as Flipboard reset everyone’s password automatically.

You hate to see the worst happen when it comes to data breaches; but Flipboard avoided the worst with solid security and a textbook response plan.