An unauthorized party accessed databases belonging to news and social network aggregation service Flipboard and possibly stole copies of certain users’ information.

The illegal activity took place over a nearly 10-month span from June 2, 2018 through March 23, 2019, then paused before resuming on April 21 and 22 of this year, according to an online notification posted by Palo Alto, California-based Flipboard, which delivers content via its own app and website.

“On April 23, 2019, our engineering team identified the unauthorized activity that occurred on April 21-22, 2019. At that time, we were investigating the suspicious activity that occurred on March 23, 2019,” the notification states.

Flipboard’s services are used by a reported 150 million visitors per month. It is currently unclear how many its users were affected in the incident, but the company has confirmed that exposed information includes names, usernames, salted and hashed passwords, and, for a subset of victims, email addresses and digital tokens that link third-party online accounts to their Flipboard accounts.

Passwords that were created or changed after March 14, 2012 are protected with bcrypt, while older passwords are protected with SHA-1. Nevertheless, Flipboard is still requiring users to change their credentials the next time they attempt to log in. The company has decided not to force an immediate update by automatically logging out users, however.

The company also says it disconnected and then replaced or deleted all digital tokens in response to the incident, even though there is no evidence that the perpetrator accessed any third-party accounts linked with Flipboard.

Flipboard does not collect highly sensitive PII such as Social Security numbers, government-issued IDs and financial information.

To prevent a repeat of this incident, the company says “we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems.” Flipboard also has engaged with both law enforcement and an external security firm.

But Kevin Gosschalk, CEO at Arkose Labs, suggested that it’s a case of too little, too late. “Proactive security measures need to be in place at all times to protect the enterprise attack surface and to secure the sensitive data it collects,” said Gosschalk, in emailed comments. “Flipboard did not have enough insight into their systems to determine that… users’ data was exposed to hackers for nine months,” and now that information can potentially “be weaponized in future account takeover attacks.”

Asaf Hecht, cybersecurity researcher at CyberArk, said the prolonged breach is a “perfect example of the meticulous and patient nature of today’s cyber attackers and how organizations miss multiple opportunities to thwart attacks across the cyber kill chain.” The months that the hacker spent hidden on Flipboard’s network “is typically used to conduct reconnaissance to identify a company’s most valued data and plot pathways that go around existing security systems. This period of reconnaissance and lateral movement is a critical part of the cyber kill chain when attacks can be mitigated before causing damage.”

Terry Ray, SVP and fellow at Imperva, remarked that while modern data repositories offer an array of enticing benefits to user organizations, they also “introduce complexities and requirements” that require a skilled technical staff to manage responsibly. “It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen,” said Ray.

“That said, Flipboard was doing something right: not storing passwords in plaintext,” Ray continued. Hashing and salting makes it “incredibly difficult for attackers to obtain your password.”

Casey Ellis, CTO and founder of Bugcrowd, also praised Flipboard for its response upon discovery of the intruder. “Once it identified the breach, it reacted quickly, rotating user passwords and launching an investigation,” he said. “Although nine months is a long time to have a bad guy in your network, this incident demonstrates both how common the opportunity for an attacker to enter a network is and how difficult it is to identify the problem once they’re entrenched.”