Updated May 28, 2019

Flipboard recently identified and addressed a security incident involving a subset of user data. We know transparency is important to our community, and we have created this page to share what we have learned from our investigation, measures we have taken, and what steps users can take in response.

What happened

We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.

What information was involved

The databases involved contained some of our users’ account information, including name, Flipboard username, cryptographically protected password and email address.

Flipboard has always cryptographically protected passwords using a technique known by security experts as “salted hashing”. The benefit of hashing passwords is that we never need to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords. If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.

Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account. We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens.

Importantly, we do not collect from users, and this incident did not involve, Social Security numbers or other government-issued IDs, bank account, credit card, or other financial information.

What we are doing

As a precaution, we have reset all users’ passwords, even though the passwords were cryptographically protected and not all users’ account information was involved. You can continue to use Flipboard on devices from which you are already logged in. When you access your Flipboard account from a new device, or the next time you log into Flipboard after logging out of your account, you will be asked to create a new password.

As another precautionary step, we disconnected tokens used to connect to all third-party accounts, and in collaboration with our partners, we replaced all digital tokens or deleted them where applicable.

Additionally, to help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. We also notified law enforcement.

What you can do

You can continue to use Flipboard without further action. However, next time you log into your account, you will notice your Flipboard account password needs to be updated. You will find instructions on our support page (linked below) explaining how to create a new password. Also, if you use the same username and password you created for Flipboard for any other online service, we recommend you change your password there, too.

If you connected your Flipboard account to a third-party account to see its content, you may notice in some cases that you need to reconnect it. On our support page you will also find instructions for how to do this.

Where to find more information?

We deeply regret this incident happened. For more information we are providing answers to frequently asked questions about the incident further down on this page. If you need additional help, please select Contact at our Help Center.

===

FREQUENTLY ASKED QUESTIONS

Was my Flipboard user information involved in the incident?

Not all Flipboard users’ account information was involved in the incident. We’re still identifying the accounts involved and as a precaution, we reset all users’ passwords and replaced or deleted all digital tokens.

What information could have been involved in this incident?

The following types of information were contained in the database involved:

user names;

hashed and uniquely salted passwords; and

for some Flipboard users, email addresses and digital tokens that link third-party accounts to the user’s Flipboard account.

The vast majority of passwords were hashed with the utility called bcrypt. For Flipboard users that have not logged into their account since March 14, 2012, the passwords were protected with SHA-1 and uniquely salted.

If you connected your Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect your Flipboard account to that third-party account. As a precaution, we have replaced or deleted all digital tokens to eliminate any possibility of misuse.

Notably, Flipboard does not collect from users, and this incident did not involve, government issued IDs (such as Social Security numbers or driver’s license numbers), or payment card, bank account, or other financial information.

What have you done to prevent a similar incident in the future?

To help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. For security reasons we are not sharing specific details.

What is a hashed password?

When a password is hashed, it is turned into a random-looking string of characters through cryptographic algorithms. This is a one-way function that cannot be decrypted with a specific key. The benefit of hashing passwords is that we never need to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords.

What is “bcrypt”?

Bcrypt is an adaptive password hashing mechanism that uses a block cipher cryptographic algorithm and other security features, including multiple rounds of computation, to provide advanced protection against password cracking.

What is password salting?

Adding “salt” to a hashed password provides an additional layer of security, specifically against brute force attacks. The salts Flipboard used were unique to each user.

What is a digital token?

Flipboard users are able to connect their Flipboard accounts to their third-party accounts, including social media and publisher accounts. When making any such connection, a digital token is created. The digital token establishes a unique connection between a user’s Flipboard account and social media account that allows users to see content from those third parties on Flipboard. In some cases, it also allows users to comment on or share articles from Flipboard to their third-party accounts. Flipboard replaced or deleted all of its users’ digital tokens because some of those tokens were contained in the databases involved. Flipboard users may need to re-authenticate or reconnect their Flipboard account, to create a new digital token and see content from these accounts again.

When did you find out about this incident?

On April 23, 2019, our engineering team identified the unauthorized activity that occurred on April 21-22, 2019. At that time, we were investigating the suspicious activity that occurred on March 23, 2019.

How did you learn about the incident?

Our engineering team became aware of the incident after identifying suspicious activity in the environment where the databases reside.

Were all Flipboard user accounts involved?

No. Not all Flipboard users’ accounts were involved in the incident. However, as a precaution, we reset all users’ passwords. If you have a Flipboard account, you were sent an email notice from Flipboard to the email address associated with your Flipboard account. The email contained the subject line “Flipboard Security Notice.”

How many accounts were involved?

We’re still in the process of determining the total number. We do know that not all accounts were compromised.

If I use Twitter/Google/Samsung/Facebook to log into my Flipboard account, can I continue to do so? Do I need to reset my password?

If you use Twitter/Google/Samsung/Facebook to log into your Flipboard account, you can continue to do so. Your password is not stored in our database and we’ve rotated digital tokens.

Have you reported this incident to law enforcement?

Yes, we notified law enforcement.

If my data was involved, what are my risks? Could my identity be stolen?

Flipboard does not collect from users, and this incident did not involve, sensitive personal information like government-issued IDs (like Social Security numbers and driver’s license numbers) or payment card, bank account, or other financial information.

As a precaution, we recommend you change any password you use for other accounts if it is the same or similar to your Flipboard password. You should regularly change all passwords and not use the same or similar passwords for different online accounts.

Could the digital tokens be used to access my third-party accounts?

Flipboard replaced or deleted all digital tokens. Those tokens are no longer valid and therefore cannot be misused. Prior to the digital tokens being replaced or deleted, the access that the unauthorized person may have had to the third-party accounts linked to Flipboard accounts varies by the type of linked account as well as the permissions the user gave when linking it to the user’s Flipboard account, but potentially may have allowed the unauthorized person to read or make posts and messages on the account and access some user account information, such as user name, profile information, posts to the site, and connections. In some cases, this access also allowed changes to this information, such as inviting new people to connect. We have not found any evidence the unauthorized person accessed third-party account(s) connected to your Flipboard accounts.

Is it safe to continue using my Flipboard account?

Yes. We reset all users’ passwords and deleted any digital tokens associated with users’ accounts so you can continue to safely use Flipboard.

When you try to log into your Flipboard account, you will notice that your Flipboard account password is no longer valid. If you use an email address to log into your Flipboard account, we sent you an email with instructions on how to create a new password and relink your social media accounts.

If you use your Twitter, Facebook, Samsung or Google account to access your Flipboard account, your login process continues to be secure and no password change is required.

How do I reset my password?

If you are on the Web, you can reset your password at https://accounts.flipboard.com/. Please note in order to reset your password, you will need access to the email address associated with your Flipboard account.

If you are on your mobile device, please follow these steps in the Flipboard app:

For Android Phones:

From the login page, select Get Started, and then Login in the top right corner; Select Email, and type in your Flipboard associated email address Select Forgot username or password? to open the Account Help page; Select Forgot Password?; Enter your account email; Tap Send.

For Apple Phones:

From the login page, select Login in the top right corner, then Log in with Email; Select Forgot your password? to open the Account Help page; Select Forgot Password?; Enter your account email; Tap Send.

For Apple iPad:

Start by selecting Already have an account? Log In; Select Need Help? to open the Account Help page; Select Forgot Password?; Enter your account email; Tap Send.

For Android Tablets:

Start by selecting Existing account? Tap to log in; Select Email, and type in your Flipboard associated email address; Select Forgot username or password? to open the Account Help page; Select Forgot Password?; Enter your account email; Tap Send.

Be sure to complete the password reset soon, as the link will expire after some time. If the password reset link no longer works, you can resend a password reset email. We recommend you update your password from time to time to help ensure account security.

If you need additional help, please visit our Help Center.

How do I re-connect my Flipboard account with my social media accounts?

Flipboard replaced or deleted all of its users’ digital tokens because some of those tokens were contained in the databases involved. In the majority of cases, this won’t impact your access, but there is a chance you need to re-establish the connection to view your feed.

Here is how to re-connect your social account to Flipboard for iOS:

1. Tap on your Following tab;

2. Select Accounts;

3. Select the service you want to re-connect;

4. Enter the login credentials for your social account.

Note: On iPad, tap the “Red Ribbon” > select Following > select Accounts.

Here is how to re-connect your social account to Flipboard for Android:

1. Tap on your Profile tab;

2. Tap Settings;

3. Select Accounts;

4. Select the service you want to re-connect;

5. Enter the login credentials for your social account.

Note: On Android tablet, open your profile page > tap Settings > select Accounts.

Now you have a fresh session with your social account and you can return to using it as normal.

If you need additional help, please select Contact at our Help Center.

Should I also reset passwords for my other accounts?

Your Flipboard password was cryptographically protected. However, out of an abundance of caution, we recommend changing your password on any other site or account where you use the same login information. It is best practice to use a unique password for each service.

How will I know that the email notification I received is from Flipboard?

We want you to be confident that the email notification you may receive is from Flipboard. The email will come from the following email address: security-notification@flipboard.com. We also want you to be aware that when other companies have provided notifications like this, there are some people who used it to try to trick individuals into providing information about themselves through the use of links to fake websites (phishing) or by impersonating someone they trusted (social engineering). Please note that the email you may receive from us will not contain any attachments or request any information from you, and any links will only bring you back to this webpage.