Flipboard, a news aggregator service and mobile news app, has started notifying users today of a security incident during which hackers had access to internal systems for more than nine months.
In a series of emails seen by ZDNet that the company sent out to impacted users, Flipboard said hackers gained access to databases the company was using to store customer information.
Flipboard said these databases stored information such as Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails or digital tokens that linked Flipboard profiles to accounts on third-party services.
The good news appears to be that the vast majority of passwords were hashed with a strong password-hashing algorithm named bcrypt, currently considered very hard to crack.
The company said that some passwords were hashed with the weaker SHA-1 algorithm, but they were not many.
"If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1," Flipboard said.
Flipboard did not disclose the exact number of accounts to which hackers had access, but it did say that not all Flipboard accounts were impacted.
"We're still in the process of determining the total number," the company said. "We do know that not all accounts were compromised."
In its email, Flipboard said it is now resetting all customer passwords, regardless if users were impacted or not, out of an abundance of caution.
Furthermore, the company has already replaced all digital tokens that customers used to connect Flipboard with third-party services like Facebook, Twitter, Google, and Samsung.
"We have not found any evidence the unauthorized person accessed third-party account(s) connected to your Flipboard accounts," the company said.
But despite some good news for users, the breach appears to be quite extensive, at least for the company's IT staff.
According to Flipboard, hackers had access to its internal systems for almost nine months, first between June 2, 2018, and March 23, 2019, and then for a second time between April 21 and April 22, 2019.
The company said it detected the breach the day after this second intrusion, on April 23, while investigating suspicious activity on its database network.
Flipboard said it notified law enforcement of the security breach.
Updated on May 27, 8:45pm ET, to add a link to Flipboard's official security notice, made public after this article's publication.