Flipboard, the news aggregation app visited by 150 million users per month, stated in a security notice that hackers breached its database “between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.” During this nine month long probe, the hackers were able to access user account information such as names, usernames, email addresses, and encrypted passwords.
The saving grace here is that Flipboard uses salted hashing, which theoretically means that users would be protected…if the exploit had taken place in 2000; see, the problem is that if users never changed their passwords after March 14 2012, their passwords would’ve still been salted and hashed with SHA-1, according to Flipboard. SHA-1 has been vulnerable since 2005, according to security experts. Not too long ago(2017), researchers were able to successfully create a collision against the SHA-1 function, creating two files with identical SHA-1 signatures. That means that a hacker with nefarious intent can reproduce the same result. Admittedly, they would have to be willing to brute force myriad passwords–still, the motivation can be worthwhile due to the fact that many people use the same password for multiple applications. A dedicated hacker could then breach a bank account, if they were to obtain a password from an irresponsible individual. Even so, the costs would be tremendous. Large nation state collectives found in China, North Korea, and Russia would be the potential customers if the data was ever sold in the black market.
All that said, the hacker would probably not have been able to do much with the information at hand besides acquiring emails for potential phishing attacks. Additionally, Flipboard mentions that they do not acquire sensitive information from users, which does contain the potential damage of the breach quite a bit. To counteract the obvious SHA-1 vulnerability, Flipboard now requires current users to create a new password, which will allow them to be encrypted with bcrypt.
Many might be wondering why the hacker went undetected for such a long period of time. Besides expressing their apologies for the security breach, Flipboard doesn’t offer an explanation. They really don’t need to. Breach detection is a problem in the security field. According to a 2017 Cost of a Data Breach study, it takes 206 days on average for a company to detect a breach. That’s assuming the hacker knows what he’s doing. And that’s the crux of the problem. The point of an exploit is to remain undetected for as long as possible. Unless there are systems in place to detect a signature before it occurs, these numbers won’t drastically decrease. It’s a bit like trying to develop a vaccine for a pathogen that you know nothing about. So, it becomes a game of cat and mouse.
Donald E. Hester, a cyber security blogger, mentions the dangers of such a prolonged access to data:
The hackers access to the system for such a longer period means they can gain more and more control of systems and find all the data of worth and exfiltrate it without being noticed. It is like having a warehouse with no lighting and no one watching to see thieves emptying the warehouse.
In the case of Flipboard, the breach was only detected after the hacker infiltrated the system not once, but twice. They’re currently investigating the number of accounts that were affected. In the meantime, they’ve contacted law enforcement and beefed up their security.