Flipboard Resets Passwords After Database IntrusionsHashed and Salted Usernames and Passwords Exposed
News aggregator Flipboard has initiated a systemwide password reset affecting as many as 150 million users following two database intrusions.
The company says it is taking the password reset precaution "even though the passwords were cryptographically protected and not all users' account information was involved." Flipboard engineers discovered the situation on April 23.
Flipboard says one intrusion occurred between June 2, 2018, and March 23, 2019, and another over a shorter period, between April 21 and 22 this year. An unauthorized person "accessed and potentially obtained copies of certain databases containing Flipboard user information," the firm says, noting it has notified law enforcement.
"In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist," Flipboard says in an advisory.
The data exposed included usernames and passwords that were hashed and salted. For some users, email addresses and tokens used to connect their Flipboard accounts to third-party applications also were exposed. Those tokens have now been invalidated, Flipboard says.
Those who use their Twitter, Google, Samsung or Facebook credentials to log into Flipboard are not affected because the company doesn't store those passwords and it has since "rotated" the digital tokens. Flipboard says it doesn't collect any financial or identification information.
Uh-Oh: SHA-1 Hashes
The password leak potentially poses a problem for Flipboard users.
Like many service providers, Flipboard hashes plain-text passwords. Hashing is the process by which a plain-text password is run through a mathematical function, which creates a cryptographic representation of the password.
Flipboard says the hashes had salt, a security measure where unique values are added to the cryptographic output.
The security provided by hashing, however, also is dependent upon the hashing algorithm used. In theory, hackers shouldn't be able to discover the plain-text password if the hash is obtained. But advances in computing power have made it possible to rapidly generate hashes in hopes of matching one.
Also, like many service providers, Flipboard had previously used the SHA-1 algorithm to hash passwords. But hashes generated with that algorithm are considered vulnerable to cracking, and many online services have discarded SHA-1.
Flipboard says it switched to bcrypt after March 14, 2012, but some SHA-1 hashes may have been compromised.
Bcrypt is a popular hashing function these days because it takes computers much longer to generate random bcrypt hashes, thus extending the guessing period password crackers have to undertake.
This is another case where we see a company rolling from an old hashing algo (SHA-1) to a new one (bcrypt) but trying to do so only as people auth. This keeps catching people out, only way to do it is to bcrypt those SHA-1 hashes and get it all done in one go. https://t.co/OfRgsywfzr— Troy Hunt (@troyhunt) May 29, 2019
In recent years, many online services have switched to bcrypt but only applied it to new user accounts or for reset passwords. A complete rip-and-replace means users have to be nudged to set up their passwords again so they can be hashed with the new algorithm. Online services are generally reluctant to do that because it inconveniences their users.
"This is another case where we see a company rolling from an old hashing algo (SHA-1) to a new one (bcrypt) but trying to do so only as people auth," Hunt writes on Twitter. "This keeps catching people out, only way to do it is to bcrypt those SHA-1 hashes and get it all done in one go."
The biggest risk for users from the Flipboard security incident is if they have used their Flipboard passwords on other online services.
Security experts advise that the best way to protect against the knock-on effects of a compromise of one online service is to use a unique password for every site. While password managers are popular products that help with keeping track of dozens of login credentials, they're still a niche tool.
Large lists of username and password combinations collected from slipups such as Flipboard's are traded and sold in underground forums. The data is often used for so-called "credential stuffing" attacks, in which attackers try different combinations of credentials in hopes of unlocking an account.
Many online services are acutely aware of the risks that credential stuffing poses and take measure to defend against such efforts. OWASP recommends encouraging users to use two-step verification, and on the server side, IP blacklists, device fingerprinting techniques and CAPTCHAs.
OWASP also recommends avoiding automatically setting a username as a person's email address and running passwords selected by users against Hunt's Pwned Passwords service. That service compares if a proposed password has already shown up in a data breach.