Another day, another data breach. This time, it has affected 21 million users of the popular time capsule app Timehop.
Timehop revealed (opens in new tab) that the attack, which took place on July 4, has exposed the personal data, including names and email addresses, of practically its entire user base. Of those affected, a fifth – 4.7 million – also had a phone number attached to their account.
The app works by plugging into your social media accounts, like Facebook, Twitter and Instagram, to bring up posts from years gone by. According to the startup, the hacker was able to grab keys and tokens that the app uses to access and display social media memories.
How the heist went down
The hacker was able to enter Timehop’s cloud computing account, which wasn’t protected by multifactor authentication — a basic security measure that was lacking.
A preliminary investigation of the incident has revealed that the attacker first accessed Timehop’s cloud environment on December 19 last year by using compromised admin credentials and created a new admin account. The attacker returned for a look-see once more in December, then in March this year, followed by another survey in June, although the actual attack didn’t take place till Fourth of July came along.
Timehop says the breach was discovered two hours after it was started and was able to interrupt the data transfer, although not in time to stop user data from being stolen.
According to the startup, users’ private messages, financial data, social media content and Timehop data were not compromised as it deletes copies of old posts and photos once they’ve been viewed. The company also doesn’t store information like credit card details, locations and IP addresses.
Timehop’s access tokens and user data have not yet made an appearance on forums and the dark web, but the company has hired cybersecurity experts to track if they do. So far, no unauthorized access has been reported on any account and all keys have been deactivated.
Timehop, in the meantime, has enabled multifactor authentication on “all accounts that did not already have them for all cloud-based services,” meaning there was possibly more than one admin account for the attackers to gain access with.
“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” the company said via a blog post (opens in new tab).
In its defense, the company says, “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades,” which is a perhaps a little bit too late.