Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Flipboard Hack Exposed Usernames, Email Addresses and Hashed Passwords
- Thread starter MacRumors
- Start date
- Sort by reaction score
Pay cash, write letters, etc., and you are still not safe from attack. My sister got a letter today purporting to be from a university on the other side of the country that she never attended, saying there was a data breach and her information might have been compromised, so please reply and confirm your information, including SSN, and they will determine if you had a loss. She asked me what to do, and I said, "Are you kidding? Trash it, it's a scam."
I keep seeing how security needs to improve from social media companies. Having had my credit card hacked twice, both times because Target stores had bad security, I can tell you it’s not just social media. And trying to inflict large fines probably won’t work either. The only thing that will work is not patronizing businesses that don’t protect their customers data. Fines, especially for large media companies and banks and stores are treated as a cost of doing business. A serious decline in customers hurts their bottom line immediately and raises doubts in credit and financial markets about their long term viability. Facebook et-al survive because people say they are concerned but actually do nothing. If you are willing to live with your data getting hacked then so is Facebook.
I agree but I think another issue is that while developers put a lot of effort into the inner mechanics of their software, things like the front end (UI), and in this case the back end, don't get as much attention as they deserve. I was forced to use a work order system that ran perfectly but the UI was so bad that I almost wept when I had to use it.
It should be life in prison for mass security incidents for the C-level execs. Why do all these people want me to setup and account anyway? Every g-dang site I go to thinks I should create an account.
Agreed I’m glad that Apple offers password of different types that secure accounts without using the same password over and over again.
You do realize that you can have impeccable security policies and technologies and still get hacked? Government security/spy agencies get hacked and they are about as well protected as possible. So for example, I'm not really seeing why executives should be imprisoned for life if hackers use some zero-day exploit to access sensitive data.
Though I will agree that many accounts are unnecessary and mostly serve to track users.
flipboard is an app that provides news from multiple sources (i.e Apple News)
"unauthorized access" can mean anything through.. I wanna know if it was some feral employee decided to go rouge. (usually), or external access to something that *should have been* secure in the first place.
Funny, all of these "enhanced security measures" always happen AFTER the incident. YOu can't protect yourself from everything, but if it was an accident, then security was not a high priority,
Funny, all of these "enhanced security measures" always happen AFTER the incident. YOu can't protect yourself from everything, but if it was an accident, then security was not a high priority,
Fortunately, passwords were heavily encrypted enough to make this data useless - hard to decrypt.
But then, people would know this if they had read the article, and not reading the summary!
Flipboard is a really nice news source. Better UI than apple ness, for sure.
But then, people would know this if they had read the article, and not reading the summary!
Flipboard is a really nice news source. Better UI than apple ness, for sure.
Last edited:
I wouldn't count on it. We don't know what hashing algo they used, and specialized hashing hardware is improving so rapidly nowadays that it's scary likely that they can brute force <10 char passwords. If I had a password there that was shared elsewhere (ofc that's bad too), I'd go and change it.
[doublepost=1559185774][/doublepost]
The article didn't mention any encryption, only hashing, whose strength depends on the entropy of the passwords stored. If everything were encrypted with a key the hackers don't have, it'd be fine.
Last edited:
This is a prime example of why you should never reuse your password and should use a Password Manager like 1Password to create unique passwords for each and every website. You will never know which one is left abandoned and eventually hacked with all your info leaked out. I'm appalled by Flipboard's slow response and the length of the compromised period.
I briefly used Flipboard in 2010 to 2011 or so, created an account with them and switched to Zite not long after due to better algorithm and recommendations, and mainly on Twitter after Zite was acquired. I don't even remember when was the last time I opened the app although the app is hidden in a folder. Fortunately, since I bought 1Password 4-5 years ago, I already changed their password to a unique long password.
I briefly used Flipboard in 2010 to 2011 or so, created an account with them and switched to Zite not long after due to better algorithm and recommendations, and mainly on Twitter after Zite was acquired. I don't even remember when was the last time I opened the app although the app is hidden in a folder. Fortunately, since I bought 1Password 4-5 years ago, I already changed their password to a unique long password.
Kyle and Cartman fighting over encryption vs hashing.
[doublepost=1559188870][/doublepost]
Precisely. 1Password++.
I even use unique email addresses for (most) sites. Then when I start getting a fresh spam barrage, I can easily tell who has been breached or is selling my info to third parties.
Great advice for using unique email address. It’s not difficult to create alias for gmail. Just add a plus sign, right?
Yep. iCloud as well. I do:
email+websitename@icloud.com
And you can get really insane:
email+website.account1@icloud.com
email+website.account2@icloud.com
This is really handy on sites where you might want multiple accounts (Twitter, IG, etc)
It doesn’t always work as some sites sanitize + in email records, or oddly they will let you create an account but not login. But that seems to be pretty rare in my experience.
Lol. I'd watch that episode.
[doublepost=1559194283][/doublepost]
If so, I don't think email + password should count as a privacy violation. People can protect themselves against that. It's only a problem when you have to give something like your SSN to a site and they leak it.
Also, there was an attempt to make identity+auth pluggable, OAuth (and its 2.0 version). They screwed it up so badly that IMO we need a new thing that's less complex. As it stands, the best way to handle auth is to outsource to some service like Firebase, and that shouldn't be what it takes.
Last edited:
Mostly its only email adresses that get exposed.. so just make a new gmail account or something and use that one for "public" things like forum registration and social media and have another one that you want private for work..
Not so hard to get more internet privacy if you use the brain
Another day, another breach.
Expect breaches to become more and more common. There is literally no accountability, so companies are encouraged to spend as little as possible on IT, if which security is but a tiny part.
My guess is that the all-out-cheap ones don’t even know they’re being hacked.
Expect breaches to become more and more common. There is literally no accountability, so companies are encouraged to spend as little as possible on IT, if which security is but a tiny part.
My guess is that the all-out-cheap ones don’t even know they’re being hacked.
That's ironic. You realize that these forums are an age-old form of social media?
[doublepost=1559205292][/doublepost]Properly-designed token-based authentication (eg. Flipboard to Facebook connection) uses more than just the token itself to validate the connection. So those tokens are likely completely unusable in the hands of bad actors. The tokens do not grant access to your Facebook account if you had a connection from Flipboard. Only Flipboard's systems would be able to use the tokens.
[doublepost=1559205488][/doublepost]
Auth0 ... "auth-zero"... (not to be confused with OAuth) wraps around OAuth and makes the process much, much simpler. It abstracts away the complexities of establishing OAuth connections with many services, as well as offering direct Username-Password authentication against its own database. I just starting working with their tech and it does make life a LOT easier. Great documentation, great library of SDKs. These guys are doing it right.
When I started doing this I couldn't believe it when I started getting spam from the address I created for Home Depot. And I don't mean advertising.