Flipboard was my favorite app for catching up on news and other interesting bits from the internet. I stopped using it over six months ago. I’ll tell you why in a moment.
Flipboard recently reported that millions of its 150 million active users had been hacked in a data breach dating all the way back to 2018. You can see the headline that caught my eye this morning here: https://techcrunch.com/2019/05/28/flipboard-hacks-password-resets/?tpcc=ECFB2019
I reported this to Flipboard back in January of this year. I had already been using Flipboard less frequently but stopped completely when I couldn’t access my account. I was being prompted for a password despite not being asked to login since I originally setup the app years ago. I figured that I had just forgotten my password since I hadn’t needed to use it in so long. I was wrong. Upon further investigation, I discovered that my account had been hijacked and used to distribute malicious links.
I set out to restore access to my account and reported the incident to Flipboard. It wasn’t easy to find a way to contact Flipboard directly, but I eventually found an email address for support.
After a few email exchanges with “support”, I was able to reset my password, regain access to my account, and delete my hijacked profile. Flipboard never acknowledged the incident. Perhaps my report never reached human eyes, perhaps it did and was ignored on purpose.
Regardless, their incident response process failed. A good IR process has a reliable mechanism for users to report security incidents. Even in an automated process, the fact that I used the word hijacked in my report should have set off alarms. The method for reporting an incident should be easy for users to find. Maybe I should have tried harder and Tweeted at them regarding my experience, but how much should we rely on users to sound the alarm? Shouldn’t that mostly fall on the service provider? Obviously, in this case, their systems failed to detect and respond to the malicious activity and user reported incidents (I’m now sure I wasn’t the only one.)
Whether you use Flipboard or you’ve never heard about it, the lesson here is to keep an eye on all of your accounts. Don’t count on the provider to do it. If you have accounts that are no longer used, delete them. If you notice suspicious activity, change your password and report it to the app or website provider. You might even consider switching providers (or reducing the number of apps that you use) – just remember that this can happen to any company. Ultimately, you are responsible for protecting your identity and reputation online.