News aggregator Flipboard disclosed in a recent announcement that hackers gained access to and potentially obtained copies of some of its databases containing user information between June 2, 2018 and March 23, 2019, and from April 21 to 22, 2019. Flipboard said it detected the intrusion on April 23, a day after the second hack, “after identifying suspicious activity in the environment where the databases reside”.

What information was compromised?

Flipboard, which has more than 145 million monthly active users, said it was in the process of determining how many accounts were affected. It said the compromised databases contained users’ names, Flipboard usernames, and cryptographically protected password and email addresses. For users who had connected their Flipboard account to a third-party account, including social media accounts, the compromised databases may have contained digital tokens. However, it said it had found no evidence that the unauthorized person accessed these third-party account(s). Flipboard emphasized that the database did not contain government-issued IDs, bank account details, credit card numbers, or any other financial information.

What action has Flipboard taken?

Flipboard said it had reset all users’ passwords as a precaution, and was in the process of notifying all affected users. It said all users would be prompted to create a new password when they next tried to log in. As another precaution, Flipboard said it disconnected tokens used to connect to all third-party accounts and replaced or deleted all digital tokens. This, it said, would require users who accessed Flipboard through their social media accounts to reconnect them to the platform. The company said it also hired an external security firm and launched an investigation. In addition, it implemented “enhanced security measures” and notified law enforcement.

Recent data breaches: Truecaller, Justdial, Amazon India

  • Last month, the Economic Times reported that the private data of users of caller ID and UPI payments app Truecaller – including names, phone numbers and email addresses – was available for purchase on the so-called dark web. It said the data of Indian users was being sold for about €2,000 (approx Rs 1.55 lakh), while that of global users was priced as high as €25,000 (approx Rs 19.5 lakh). A Truecaller spokesperson told MediaNama that the company’s database had not been breached, but said it was possible that some malicious users had been abusing their Truecaller accounts to collect phone numbers in violation of the company’s terms of service.
  • In April, Justdial suffered a data breach that leaked the data of more than 100 million users, including name, email, mobile number, gender, date of birth, photo, company and occupation. More than 70% of the data belonged to users who had called Justdial’s “8888888888” number but the data of unregistered users may also have been leaked.
  • Amazon India faced a data breach in January in which sellers’ data from their merchant tax reports was exposed to other sellers. The breach came to light when sellers logged on to Amazon to download their monthly merchant tax reports, which had information such as sales volume across categories, orders processed, and inventory.